Wawa CEO says malware has been stealing credit card info since March

Forever21 and Target have experienced similar attacks in the past.

aimintang/iStock Unreleased/Getty Images

If you’ve lived on the East Coast, you’ve probably been to a Wawa. Dotting the states of Pennsylvania, Delaware, New Jersey, Florida, Virginia, Maryland, and a few others, Wawa is half convenience store, half gas station, full East Coast staple. And for almost a year, it’s been affected by malware.

In an open letter to his customers on Thursday, Wawa CEO Chris Gheysens wrote that malware had compromised "payment card information, including credit and debit card numbers, expiration dates, and cardholder names on payment cards used at potentially all Wawa in-store payment terminals and fuel dispensers" since March 2019.

Gheysens noted that the information security team determined that details like debit card PIN numbers as well as CVV2 numbers were not compromised in the attack. Forever21 and Target customers have been on the receiving end of this type of malicious software as well.

From March to December — Although Gheysens doesn't explain why it took so long to detect the malware, he noted that it began affecting customer payment card information at several Wawa stores since March 4 of 2019. By April 22, the CEO wrote that the malware was present in “most store systems.” According to Gheysens, Wawa's information security team finally spotted the malware on December 10 and contained it by December 12. It no longer poses any risk, Gheysens claimed.

A bit of good news — If you’ve ever used your card at a Wawa on the East Coast, Gheysens wrote that you or any other affected customer “will not be responsible for any fraudulent charges on your payment cards related to this incident.” So, there’s some respite in that. That said, before you X this page, it never hurts to read some tips on protecting yourself against malware.