Wawa hit with massive data breach – News – fosters.com
Wawa says a large-scale data breach compromised the payment information of any customer who used a debit or credit card at any of its more than 850 stores since March.
In an open letter to customers Friday, chief executive Chris Gheysens said the company discovered malware capable of exposing card numbers, expiration dates and cardholder names at "potentially all Wawa in-store payment terminals and fuel dispensers" had been installed on its servers on March 4. Debit card PINs, credit card security codes and driver's license information for verifying age-restricted purchases were not affected, he said.
Gheysens said the convenience store chain is unaware of any unauthorized card use as a result of the breach, which was contained Dec. 12, two days after it was discovered. Wawa declined to tell The Post how many customers or transactions were affected.
"I want to reassure anyone impacted they will not be responsible for fraudulent charges related to this incident," Gheysens said in a news release. "To all our friends and neighbors, I apologize deeply for this incident."
The breach expands on what already is being billed as the worst year on record for data breaches, which have jumped 33% since 2018, according to Risk Based Security. The 5,200 breaches reported this year to date have exposed nearly 8 billion records. Nearly 4 of 10 Americans have been victims of data breaches or identity theft in the past year, according to ScoreSense. Malicious breaches are the most common and most costly, while accidental breaches tied to human or machine error account for a little less than half of all incidents, according to IBM.
In June, lab-testing company Quest Diagnostics announced that a breach at its billing and collections vendor, the American Medical Collection Agency, had exposed the medical, financial and personal information of nearly 12 million people within an eight-month span. In March, the Federal Emergency Management Agency announced it had accidentally exposed sensitive personal information of more than 2 million natural disaster survivors.
In July, Capitol One announced that more than 106 million customers had been affected in one of the largest data breaches in history, when a hacker accessed information from scores of credit card applications, as well as 140,000 Social Security numbers and about 80,000 bank account numbers. Paige Thompson, a former software engineer with Amazon Web Services, was arrested and charged with wire fraud, computer fraud and abuse for the breach after boasting about the hack online.
"As we look over the experience of 2019, what stands out is that we are often our own worst enemy" Inga Goddijn, executive vice president at Risk Based Security said in the report . "Whether it's a phishing campaign that ultimately provides malicious actors with a toehold into systems or misconfigured databases and services that leave millions of sensitive records freely available on the internet, it seems to be human nature coupled with weak controls that contributed heavily to the number and severity of breaches we've seen this year."
Breaches often take months to discover: 197 days, or more than six months, on average, according to IBM data, and another 69 days to contain them. The longer they go undetected, the higher the costs to companies and the more challenging it becomes for small and midsized businesses to recover. Globally, the average cost of a breach is about $3.92 million, IBM says, but the U.S. average is twice that at more than $8 million.
Philadelphia-based Wawa is offering free identity protection and credit monitoring services for all customers. A call center and toll-free number, 844-386-9559, have been set up for customer questions. An external forensics firm is investigating the breach, and law enforcement is also conducting a criminal investigation.
Though credit monitoring can be helpful, concerned customers would be better off freezing their credit to guard against fraudsters given how much time has passed since the initial breach, said Emily Wilson, vice president of research at Terbium Labs, a digital risk protection provider.
"Cybercriminals could easily have allocated cards out to criminal carding shops and fraud forums, mixing unsuspecting Wawa customer data in with stolen cards from a host of other breaches," Wilson said in comments emailed to The Washington Post. "Stolen payment cards are in high demand on criminal platforms, and the Wawa breach was no doubt a nice inventory boost for the cybercrime community - especially for any lingering cards that may be up for grabs for fraudsters looking to do some shopping this holiday season."
Mark McCreary, a cybersecurity expert with Fox Rothschild, said the information exposed in the Wawa breach poses a relatively low threat to customers.
"Yes, there may be fraudulent activity on credit cards, but consumers are not liable for those charges because of federal law protections," Rothschild said. "But there should not be any material heightened risk of identity theft because of this incident."
Federal protections for unauthorized debit card purchases hinge on how quickly the customer reports fraudulent activity. There is no cap on liability for unauthorized debit charges if the customer doesn't report them until more than 60 days after a bank statement is sent. But given that debit PIN numbers were not exposed, Wawa customers who paid with debit cards are at a lower risk.
Founded in 1964 as a roadside dairy market in the Philadelphia suburbs, Wawa now has more than 850 stores throughout the East Coast. The convenience store chain has a cultlike devotion among customers who praise its coffee and sandwiches and customer service. Privately held Wawa claimed more than $10 billion in revenue last year, making it one of the top 10 convenience store chains in the country, according to Winsight.
Gloss