Wawa stores hit by POS malware attack, credit card info of thousands of customers stolen

Convenience store chain Wawa disclosed a card breach after its security team found POS malware installed on its payment processing systems

Convenience store and gas station chain Wawa announced a data breach after its security team found malware hidden on its POS (point-of-sale) payment systems designed to steal customers' debit or credit card information.

Wawa data breach

Wawa said the POS malware successfully collected payment card information from thousands of customers who used their cards to make payments at their convenience store and fuel dispensers at gas station outlets. The malware was installed on its servers on March 4 this year but was only discovered on Dec. 10 and removed a couple of days later.

The company's CEO Chris Gheysens said in a statement that the stolen information "is limited to payment card information, including debit and credit card numbers, expiration dates and cardholder names, but does not include PIN numbers or CVV2 numbers."

A Wawa convenience store and gas station outlet in North America. Wawa

The malware also collected driver's license information that is used to verify age-restricted purchases but card transactions made through ATMs installed at Wawa locations were not affected. The company said it does not know the extent of the damage in terms of the number of customers affected but what it does know is that the data breach has affected all of Wava's 850 locations, which span across the East Cost from Pennsylvania to Florida.

The news of Wawa's data breach comes just days after financial services major Visa issued a warning about cybercrime groups using POS malware to target gas stations in the U.S.

POS malware: How does it work?


Hackers can gain entry into the payment systems through the gas station's computer using a phishing email or other methods. Once the malicious malware gains access to the system, it gets to work, continuously combing through the machine's RAM for customers' unencrypted credit or debit card information, which it collects before uploading it to a remote server.

While the in-store POS terminals at gas stations might support chip-and-PIN transactions, the card readers on fuel-dispensing units do not. They still run on traditional technology that receives payment information from the card's magnetic stripe.

According to Visa, the easiest way for gas stations to safeguard their customers' card information is to either encrypt the card data while it's being transferred across a network or stored in memory or shift to a chip-and-PIN card acceptance policy.