FBI Reportedly Probes Wawa’s Massive Data Breach: What To Know

WAWA, PA — The FBI is reportedly probing a Wawa data breach that impacted anyone who used debit or credit cards at the company's convenience stores in the last nine months.

The Philadelphia Inquirer said Wawa asked the FBI to investigate the large-scale data breach because officials of the convenience store chain were unable to determine who launched the cyberattack.

Lori Bruce, a spokeswoman for Wawa, pointed Patch to its statement from last week that said the company "immediately initiated an investigation, notified law enforcement and payment card companies, and engaged a leading external forensics firm to support our review."

Bruce said the company continues to work "with top security experts to take steps to enhance the security of our systems and to support law enforcement in their ongoing investigation."

"At Wawa, the people who come through our doors every day are not just customers. We consider them family, and nothing is more important than honoring and protecting their trust," Bruce said. "We apologize deeply to our customers for this incident and want to reassure them they will not be responsible for fraudulent charges due to this incident."

The FBI told Patch that it wasn't immediately ready to respond to requests for information on the matter.

In a letter posted on the company's website, Wawa CEO Chris Gheysens said the company discovered malware on its payment processing servers Dec. 10.

"This malware affected customer payment card information used at potentially all Wawa locations beginning at different points in time after March 4, 2019, and until it was contained," Gheysens wrote. The company said the malware was contained by Dec. 12.

ATM machines in the stores were not affected by the breach, he said.

The company has 850 stores in Pennsylvania, New Jersey, Delaware, Maryland, Virginia, Florida and Washington, D.C.

"I want to reassure you that you will not be responsible for any fraudulent charges on your payment cards related to this incident," said the letter, which urged anyone who could be affected to take steps to monitor their accounts for credit fraud.

The company said its investigation determined that the malware began running in-store payment processing systems at potentially all Wawa locations starting around March 4 and was present on most of its stores' systems by April 22.

The malware affected payment card information, including credit and debit card numbers, expiration dates and cardholder names on payment cards used at potentially all Wawa in-store payment terminals and fuel dispensers.

"No other personal information was accessed by this malware," Gheysens said. "Debit card PIN numbers, credit card CVV2 numbers (the three- or four-digit security code printed on the card), other PIN numbers, and driver's license information used to verify age-restricted purchases were not affected by this malware."

If you did not use a credit or debit card in any of the stores during that time, your information was not affected.

Anyone who is concerned that their debit or credit cards were compromised or who has questions about the breach can call a dedicated toll-free call center: 844-386-9559. Wawa is offering free credit monitoring and identity theft protection to anyone whose information may have been involved.

If you detect any incident of identity theft or fraud, promptly report the incident to your local law enforcement authorities, your state attorney general and the Federal Trade Commission. If you believe your identity has been stolen, the FTC recommends that you take these additional steps:

• Close the accounts that you have confirmed or believe have been tampered with or opened fraudulently. Use the FTC's ID Theft Affidavit (available at www.ftc.gov/idtheft) when you dispute new unauthorized accounts.
• File a local police report. Obtain a copy of the police report and submit it to your creditors and anyone else requiring proof of the identity theft crime.

Customers whose information may have been involved should:

• Review your debit and credit card account statements. Unauthorized charges should be reported immediately. Under federal law and card company rules, customers who notify their payment card company in a timely manner upon discovering fraudulent charges will not be responsible for those charges.
• Register for identity protection services. "We have arranged with Experian to provide potentially impacted customers with one year of identity theft protection and credit monitoring at no charge to you," Gheysens said. Information about these services is available on the Wawa website or by calling the dedicated data breach number: 844-386-9559.
• Order a credit report. "If you enroll in the Experian service (at the phone number above) we are offering, you will have access to activity on your credit report. In addition, if you are a U.S. resident, you are entitled under U.S. law to one free credit report annually from each of the three nationwide consumer reporting agencies," the letter said. To order your free credit report, visit www.annualcreditreport.com or call toll-free at 877-322-8228.

Wawa customers with questions about the data breach or enrolling in the credit monitoring services can call the data breach response line at 844-386-9559. It is open 9 a.m. to 9 p.m. Eastern Time Monday through Friday and 11 a.m. to 8 p.m. Saturday and Sunday, excluding holidays (which include Dec. 24, Dec. 25, Dec. 31, Jan. 1, and Jan. 20).

Other steps the company recommends:

Order your free credit report: Visit www.annualcreditreport.com, call toll-free at 877-322-8228, or complete the Annual Credit Report Request Form on the U.S. Federal Trade Commission's website at www.ftc.gov and mail it to Annual Credit Report Request Service, P.O. Box 105281, Atlanta, GA 30348-5281. Do not contact the three credit bureaus individually; they provide your free report only through the website or toll-free number.

When you receive your credit report, review the entire report carefully. Look for any inaccuracies and/or accounts you don't recognize, and notify the credit bureaus as soon as possible in the event there are any.

You have rights under the federal Fair Credit Reporting Act. These include, among others, the right to know what is in your file; to dispute incomplete or inaccurate information; and to have consumer reporting agencies correct or delete inaccurate, incomplete or unverifiable information. More information about the FCRA is on the Federal Trade Commission website.

Place a fraud alert on your credit file: To protect yourself from possible identity theft, consider placing a fraud alert on your credit file. A fraud alert helps protect you against the possibility of an identity thief opening new credit accounts in your name. When a merchant checks the credit history of someone applying for credit, the merchant gets a notice that the applicant may be a victim of identity theft. The alert notifies the merchant to take steps to verify the identity of the applicant.

You can report potential identity theft to all three of the major credit bureaus by calling any one of the toll-free fraud numbers below. You will reach an automated telephone system that allows you to flag your file with a fraud alert at all three bureaus:

Place a security freeze on Your credit file: You have the right to place a "security freeze" on your credit file. A security freeze generally will prevent creditors from accessing your credit file at the three nationwide credit bureaus without your consent. You can request a security freeze free of charge by contacting the credit bureaus

Placing a security freeze on your credit file may delay, interfere with or prevent timely approval of any requests you make for credit, loans, employment, housing or other services. For more information regarding credit freezes, contact the credit reporting agencies directly.

Patch editor Karen Wall reported for this story

Comments are closed.