In 2019, Wawa, a convenience retailer, experienced a significant data breach that affected its stores and fueling locations. Hackers gained access to the company's computer network and deployed malware on its payment processing servers.

How many accounts were compromised?

The breach impacted data related to approximately 30 million individuals.

What data was leaked?

The data exposed in the breach included credit card numbers, expiration dates, and cardholder names, potentially leading to unauthorized charges and identity theft.

How was Wawa hacked?

Hackers breached Wawa's point-of-sale systems in March 2019 and installed malware on its payment terminals and fuel dispensers, allowing them to steal credit and debit card numbers, card expiration dates, and cardholder names from nearly all of Wawa's locations for the next nine months. The malware was introduced to Wawa's computer network, possibly through an employee, and harvested sensitive payment card data without collecting PIN numbers or credit card CV2 codes.

Wawa's solution

In response to the hacking incident, Wawa took several measures to enhance its security and prevent future breaches. These actions included agreeing to create a comprehensive information security program with appropriate administrative, technical, and physical safeguards. The program encompasses network segmentation, reasonable measures to detect and respond to security incidents, implementation of personal information access controls, logging and monitoring controls, and measures to ensure PCI DSS compliance. Additionally, Wawa committed to conducting annual comprehensive risk assessments, assessing the program's effectiveness, and providing security awareness training for all personnel. The information security program will be overseen by a credentialed expert in the field, and Wawa will undergo an information security compliance assessment by a third-party accessor within one year.

How do I know if I was affected?

Wawa has notified customers believed to be affected by the breach. If you're a Wawa customer and haven't received a notification, you may visit Have I Been Pwned to check your credentials.

What should affected users do?

In general, affected users should:

1. Change Your Password: Immediately update your password for the breached account. Make sure the new password is strong and unique, not previously used on any other platform.

2. Reset Passwords for Other Accounts: If you've used the same or similar passwords for other online accounts, reset those as well. This is crucial as attackers often try using stolen passwords on multiple sites.

3. Enable Two-Factor Authentication (2FA): Activate 2FA on the breached account and any other important online accounts. Consider enabling this additional security feature to significantly reduce the risk of unauthorized access.

4. Monitor Your Accounts: Keep an eye on your financial and online accounts for any suspicious activity. Report any unauthorized charges or access to the respective companies immediately.

For more specific help and instructions related to Wawa's data breach, please contact Wawa Customer Service directly.

Where can I go to learn more?

For more information on the Wawa data breach, check out the following news articles:

• Wawa to pay up to $28.5M in data breach settlement | Cybersecurity Dive

• Wawa Inc. Settles Multi-State AG Breach Investigation for $8 Million

• Attorney General Josh Shapiro Announces $8 Million Agreement with Wawa Following Investigation into 2019 Data Breach