Wawa customers who paid with credit or debit cards in the last nine months may have had their card information compromised, the convenience store chain announced Thursday.
In a letter, Wawa CEO Chris Gheysens said the chain’s information security team “discovered malware on Wawa payment processing servers” on Dec. 10, “contained” the malware by Dec. 12 and “immediately engaged a leading external forensics firm and notified law enforcement.”
“This malware affected customer payment card information used at potentially all Wawa locations beginning at different points in time after March 4, 2019, and until it was contained,” Gheysens wrote. “At this time, we believe this malware no longer poses a risk to Wawa customers using payment cards at Wawa.”
The chain operates more than 850 stores in Delaware, Pennsylvania, Maryland, Virginia, New Jersey, Florida and Washington, D.C.
Wawa says the malware did not capture PIN numbers or CVV2 numbers and that ATM machines in stores were not impacted.
The letter said at this time Wawa officials were “not aware of any unauthorized use of any payment card information as a result of this incident.”
“At Wawa, the people who come through our doors are not just customers, they are our friends and neighbors, and nothing is more important than honoring and protecting their trust,” Gheysens said in the letter. “I want to reassure anyone impacted they will not be responsible for fraudulent charges related to this incident.”