Pennsylvania-based Wawa Inc. said last week that its information security team discovered malware on its payment processing servers on Dec. 10 and stopped the breach on Dec 12.
The company believes the malware was collecting card numbers, customer names and other data as early as March 4.
At least two lawsuits have been filed in wake of the breach.
One lawsuit, which is seeking class-action status, was filed by Chimicles Schwartz Kriner on behalf of Tabitha Hans-Arroyo of Woodbury Heights, New Jersey.
The suit obtained by Action News claims that Wawa "did not value customer data security and privacy" and they failed to protect its customers' sensitive card information.
Wawa said it doesn't yet know how many customers were affected. Wawa said it's also unaware of any unauthorized use of credit cards as a result of the breach.
The suit claims that Tabitha Hans-Arroyo's Capital One credit card was recently used online at Walmart in the amount of $2535.15. But the purchase was declined due to lack of available credit.
Hans-Arroyo used the same card at various Wawa locations almost daily during the data breach window, the lawsuit says.
After being notified on Tuesday, Hans-Arroyo says a Capital One representative told her that her credit card was compromised in the Wawa breach after she called about the unauthorized access. She says she was never directly contacted by Wawa.
Ronnie Kaufman, who is being represented by Kohn, Swift & Graf, P.C., also filed a lawsuit last week against Wawa alleging that a credit card she used at a Wawa gas station in Parkland, Florida became compromised.
Wawa is providing potentially impacted customers with one year of identity theft protection and credit monitoring at no charge.
Wawa has also established resources to answer customers' questions, including a dedicated call center that can be reached at 1-844-386-9559.
"Wawa claims it is now offering credit monitoring and identity protection at the credit monitoring bureau of its choice. However, this belated remedy does nothing to protect against the millions of customers who had their sensitive data exposed to criminals for nearly nine months, and does not ensure protection from fraud going forward," the lawsuit states.
No monetary value has been set but the suit does state the matter exceeds $5 million.
-- The Associated Press contributed to this report.
READ THE CEO'S FULL LETTER BELOW:
Dear Wawa Customers,
At Wawa, the people who come through our doors every day are not just customers, you are our friends and neighbors, and nothing is more important than honoring and protecting your trust. Today, I am very sorry to share with you that Wawa has experienced a data security incident. Our information security team discovered malware on Wawa payment processing servers on December 10, 2019, and contained it by December 12, 2019. This malware affected customer payment card information used at potentially all Wawa locations beginning at different points in time after March 4, 2019 and until it was contained. At this time, we believe this malware no longer poses a risk to Wawa customers using payment cards at Wawa, and this malware never posed a risk to our ATM cash machines.
I want to reassure you that you will not be responsible for any fraudulent charges on your payment cards related to this incident, as described in the detailed information below. Please review this entire letter carefully to learn about the resources Wawa is providing and the steps you should take now to protect your information.
I apologize deeply to all of you, our friends and neighbors, for this incident. You are my top priority and are critically important to all of the nearly 37,000 associates at Wawa. We take this special relationship with you and the protection of your information very seriously. I can assure you that throughout this process, everyone at Wawa has followed our longstanding values and has worked quickly and diligently to address this issue and inform our customers as quickly as possible.
Based on our investigation to date, we understand that at different points in time after March 4, 2019, malware began running on in-store payment processing systems at potentially all Wawa locations. Although the dates may vary and some Wawa locations may not have been affected at all, this malware was present on most store systems by approximately April 22, 2019. Our information security team identified this malware on December 10, 2019, and by December 12, 2019, they had blocked and contained this malware. We also immediately initiated an investigation, notified law enforcement and payment card companies, and engaged a leading external forensics firm to support our response efforts. Because of the immediate steps we took after discovering this malware, we believe that as of December 12, 2019, this malware no longer poses a risk to customers using payment cards at Wawa.
What Information Was Involved?
Based on our investigation to date, this malware affected payment card information, including credit and debit card numbers, expiration dates, and cardholder names on payment cards used at potentially all Wawa in-store payment terminals and fuel dispensers beginning at different points in time after March 4, 2019 and ending on December 12, 2019. Most locations were affected as of April 22, 2019, however, some locations may not have been affected at all. No other personal information was accessed by this malware. Debit card PIN numbers, credit card CVV2 numbers (the three or four-digit security code printed on the card), other PIN numbers, and driver's license information used to verify age-restricted purchases were not affected by this malware. If you did not use a payment card at a Wawa in-store payment terminal or fuel dispenser during the relevant time frame, your information was not affected by this malware. At this time, we are not aware of any unauthorized use of any payment card information as a result of this incident. The ATM cash machines in our stores were not involved in this incident.
What We Are Doing
As soon as we discovered this malware on December 10, 2019, we took immediate steps to contain it, and by December 12, 2019, we had blocked and contained it. We believe this malware no longer poses a risk to customers using payment cards at Wawa. As indicated above, we engaged a leading external forensics firm to conduct an investigation, which has allowed us to provide the information that we are now able to share in this letter. We are also working with law enforcement to support their ongoing criminal investigation. We continue to take steps to enhance the security of our systems. We have also arranged for a dedicated toll-free call center (1-844-386-9559) to answer customer questions and offer credit monitoring and identity theft protection without charge to anyone whose information may have been involved, which you can sign up for as described below.
What You Can Do
Customers whose information may have been involved should consider the following recommendations, all of which are good data security precautions in general:
Review Your Payment Card Account Statements. We encourage you to remain vigilant by reviewing your payment card account statements. If you believe there is an unauthorized charge on your payment card, please notify the relevant payment card company by calling the number on the back of the card. Under federal law and card company rules, customers who notify their payment card company in a timely manner upon discovering fraudulent charges will not be responsible for those charges.
Register for Identity Protection Services. We have arranged with Experian to provide potentially impacted customers with one year of identity theft protection and credit monitoring at no charge to you. Information about these services is available at www.wawa.com/alerts/data-security or call toll-free to 1-844-386-9559.
Order a Credit Report. If you enroll in the Experian service (at the phone number above) we are offering, you will have access to activity on your credit report. In addition, if you are a U.S. resident, you are entitled under U.S. law to one free credit report annually from each of the three nationwide consumer reporting agencies. To order your free credit report, visit www.annualcreditreport.com or call toll-free at 1-877-322-8228.
Review the Reference Guide. The Reference Guide below provides additional resources on the protection of personal information.
For More Information
If you have any questions about this issue or enrolling in the credit monitoring services we are offering at no charge to you, please call our dedicated Experian response phone line at 1-844-386-9559. It is open Monday - Friday, between 9:00 am and 9:00 pm Eastern Time, or Saturday and Sunday, between 11:00 am and 8:00 pm Eastern Time, excluding holidays (which include December 24, December 25, December 31, January 1, and January 20).
Along with the nearly 37,000 Wawa associates in all of our communities, we remain dedicated to serving you every day and being worthy of your continued trust.