Just weeks after Wawa announced a major expansion of its convenience stores across Maryland, the Pennsylvania-based chain announced a data breach that may have exposed the debit and credit card information used by customers in its stores and at its gas pumps for much of last year.

The breach, discovered and patched last month, was the result of a malware attack.


Wawa said it does not know how many customers were affected. But the malware infiltrated payment processing servers at all of its more than 850 stores throughout the mid-Atlantic and in Florida. It already has 53 stores in Maryland and plans to open at least 30 more over the next five years. Last year it partnered with the Baltimore Ravens to become the NFL team’s “official hoagie.”

Data breaches such as this have become a growing problem for retailers and other businesses and their customers. The total number of breaches jumped more than 33% nationally in the first nine months of 2019, while the number of records exposed more than doubled, Security Magazine reported in November.

Visa’s fraud division warned in November that gas stations have become increasingly attractive targets of malware attacks and urged fuel sellers to upgrade to chip-reading technology at the pumps. In one recent investigation, Visa said cyber-criminals gained access to a point-of-sale system through a phishing email with malware attached.

Here’s what Baltimore area consumers need to know:

What happened? Wawa’s information security specialists found malware on payment processing servers on Dec. 10 and had it under control two days later. The malware exposed credit and debit card information, including card number, expiration date and cardholder name.

It did not expose debit card PIN or other PIN numbers, credit card security codes or drivers’ license information used to verify purchases. The malware attacks may have begun later than March 4 at some stores. ATM cash machines in stores were not attacked.

Wawa said it is not aware of any unauthorized use of payment card information stemming from the attack.

Who could have had information stolen? Any customer who used payment cards at any Wawa store between March 4 and Dec. 12. The retailer believes the malware no longer poses a risk to customers.

Will consumers be responsible if fraudulent charges appear? Cardholders are not responsible, in general, if they report fraudulent charges in a timely manner to the card issuer. It’s a good idea to carefully review statements and report any questionable charges quickly.

What is Wawa doing about the attack? Wawa said it contained and blocked the malware after discovering it. The company hired an outside forensics firm to investigate and reported the attack to law enforcement. It is offering customers one year of identity theft protection and credit monitoring at no charge through Experian IdentityWorks.

What can customers do? If you shopped or bought gas at a Wawa last year, keep an eye on your bank and credit cards accounts for fraudulent charges — something you should be doing anyway.

Sign up for Identity Protection Services through Experian. Enroll by visiting Experian IdentityWorks or call 1-844-386-9559, and provide activation code 4H2H3T9H6. Carefully review account statements and notify card issuers of fraudulent charges. Monitor your credit report through Experian or order a credit report from any of three nationwide consumer reporting agencies. U.S. residents are entitled to one free credit report each year from each agency.

Several law firms have either filed class-action lawsuits against Wawa related to the data breach or announced plans to do so.