Wawa POS system compromised for 10 months
Wawa convenience stores is reporting a massive data breach that impacted payment card transactions potentially at all of its 800 locations.
Malicious actors managed to place malware on Wawa’s in-store and fuel pump POS systems starting on March 4, 2019 with all of its stores most likely being compromised by April 22. The company discovered the issue on December 10 and was able to fully block and remove the malware by December 12.
The information potentially stolen includes credit and debit card numbers, expiration dates and cardholder names. Debit card PINs and credit card CW2 numbers were not affected. Wawa gift cards also may be involved, although not specifically targeted, with the card numbers being stolen. The company is asking anyone who believes their gift card is affected to get in contact with Wawa customer service at 1-800-444-9292.
However, ATMs
located at Wawa locations were not part of the breach.
Wawa President
and CEO Chris Gheysens said
the company will cover any fraudulent purchases made with payment card data stolen
during this incident.
The company
did not say how many potential victims were involved nor was any information
given on how the malware was put in place.
Jason Kent, hacker in residence at Cequence Security, noted an interesting point in the company’s disclosure.
“The unusual
part of this story is that they weren’t notified of the breach externally. Does
this mean the malware didn’t work? Did the perpetrator not sell the numbers for
some reason? Is all of the effort to mitigate these types of attacks starting
to work,” he said.
Other
industry pros expressed some satisfaction that Wawa security apparatus was able
to at least partially protect their customers.
“It’s still
unknown how the criminals breached the network and accessed the data and it
appears that the criminals were only able to get part of the credit card
information. This is a testament to the
organization’s separation of data within their infrastructure to isolate the
information, so if one system is compromised then all of the data cannot be
stolen,” said James McQuiggan, KnowBe4’s security awareness advocate.
On the flip side Emily Wilson, vice president of research at Terbium Labs, was unimpressed with the amount of time the malware remained active and undetected.
“In this
case, cyber criminals had the better part of the year to siphon off cardholder
information from Wawa’s vast network of stores; while I’m sure the fraudsters
weren’t happy to be caught, they can boast quite a trove of information from
their time undetected,” she said.
Although it
has not been revealed what type of malware was involved, retailers across the
country have been hit repeatedly in 2019 with Magecart attacks predominating.
In August Pedro Fortuna, CTO of Jscramber, penned the SC Media Executive
Insight column Five
strategies to stop Magecart to help companies from being victimized.
Gloss