Convenience store chain Wawa disclosed today a card breach after its security team found malware installed on its payment processing systems.
Wawa said the malware collected payment card information from customers who used credit or debit cards at their stores and gas stations.
The malware was installed on its servers on March 4 this year, and was discovered on December 10, and removed two days later on the 12.
“Based on our investigation to date, we understand that at different points in time after March 4, 2019, [the] malware began running on in-store payment processing systems at potentially all Wawa locations,” the company said.
“Although the dates may vary and some Wawa locations may not have been affected at all, this malware was present on most store systems by approximately April 22, 2019.”
The breach appears to be one of the biggest card incidents this year. According to its website, Wawa operates more than 860 convenience retail stores, of which 600 also double as gas stations.
The company operates strictly on the US East Coast, with locations across Pennsylvania, New Jersey, Delaware, Maryland, Virginia, Florida, and Washington, D.C.
Wawa said the malware was configured to collect payment data that passed through its in-store Point-of-Sale (POS) systems, such as credit and debit card numbers, expiration dates, and cardholder names.
The malware didn’t collect debit card PIN numbers, credit card CVV2 numbers, and driver’s license information used to verify age-restricted purchases, the company said.
Transactions made through ATMs installed at Wawa locations were not impacted.
Wawa disclosed its security breach a week after payments processor VISA published a security alert about multiple incidents involving POS malware at gas pumps across North America.
Wawa customers who believe they are impacted can find more information in the company’s security breach notice.