Wawa says data breach included customer credit card numbers

Convenience store and gas chain Wawa announced that many of its stores were affected by a months-long data breach this year and that customer debit and credit card information was collected. 

The company’s information security team discovered malware on its payment processing servers on Dec. 10 and it was contained by Dec. 12, the company said in a statement on Thursday. The malware began running at various points after March 4. 

Data involved in the breach includes debit and credit card numbers, expiration dates and cardholder names, the company said. It does not include PIN numbers or CVV2 numbers, and in-store ATMs were not affected. 

Wawa said that potentially all of its more than 850 locations were affected. The company said it is notifying potentially impacted individuals but did not say how many people may have been subject to the data breaches. Wawa is not aware of any unauthorized uses of payment cards as a result of the data breach.

Wawa CEO Chris Gheysens apologized in the statement. 

“Once we discovered this malware, we immediately took steps to contain it and launched a forensics investigation so that we could share meaningful information with our customers,” Gheysens said. “I want to reassure anyone impacted they will not be responsible for fraudulent charges related to this incident.”

The chain is also offering customers free identity protection and credit monitoring services.