Payment processing systems at Wawa, the American chain of convenience and fuel stores, have been harboring malware that steals credit card information for nine months.
In an open letter published online yesterday, Wawa CEO Chris Gheysens announced that the malware had potentially been operating at all of Wawa's 842 locations across Pennsylvania, New Jersey, Delaware, Maryland, Virginia, Washington, DC, and Florida since March.
"Our information security team discovered malware on Wawa payment processing servers on December 10, 2019, and contained it by December 12, 2019," wrote Gheysens.
"This malware affected customer payment card information used at potentially all Wawa locations beginning at different points in time after March 4, 2019, and until it was contained."
By April 22, the malware is thought to have spread to most Wawa stores.
An investigation launched by Wawa into the incident discovered that payment card information, including debit and credit card numbers, expiration dates, and cardholder names, had been exposed as a result of the long-running cyber-attack. ATM cash machines in Wawa stores were not impacted.
In a statement released to the press yesterday, Wawa said that it "is not aware of any unauthorized use of any payment card information as a result of this incident."
Wawa has said it took "immediate steps after discovering this malware and believes it no longer poses a risk to customers." However, no details have been revealed as to what type of malware was used in the prolonged card-skimming attack or how it gained a foothold in Wawa's payment processing systems.
Gheysens apologized for the breach, and assured all customers impacted that they "will not be responsible for fraudulent charges related to this incident."
Jonathan Deveaux, head of enterprise data protection at comforte AG, commented: "Details are unclear regarding the type of malware installed on the Wawa payment processing servers, however, if the payment card data was protected in real-time with security tokenization, exfiltration of data from Wawa databases would have contained worthless tokens for the bad actors.
"Instead, when data is left in its clear-text form, credit and debit card numbers are exposed, which can put millions of payment card holders in a bad position."