Convenience store chain Wawa revealed that they have been affected by a card breach after its security team found malware installed on its payment processing systems.
The malware collected payment card information from customers who used credit or debit cards at their stores and gas stations.
The malware was installed on its servers on March 4th, and was discovered on December 10 which was then removed two days later.
The company stated that based on their investigation, they found that at different points in time after March 4, 2019, the malware began running on in-store payment processing systems at potentially all Wawa locations.
The dates may vary and also some Wawa locations may not have been affected by the malware, but it was found to be present on most store systems by approximately April 22, 2019.
The breach was considered as one of the biggest card incidents this year. Wawa operates more than 860 convenience retail stores, of which 600 also double as gas stations.
The company operates on the US East Coast, with locations across Pennsylvania, New Jersey, Delaware, Maryland, Virginia, Florida, and Washington, D.C.
The company said that the malware was configured to collect payment data that passed through its in-store Point-of-Sale (POS) systems, such as credit and debit card numbers, expiration dates, and cardholder names.
However, the malware did not collect debit card PIN numbers, credit card CVV2 numbers, and driver’s license information that was used to verify age-restricted purchases.
Also, the transactions made through ATMs installed at Wawa locations were not impacted.
Wawa revealed the security breach a week after VISA published a security alert about multiple incidents involving POS malware at gas pumps across North America.
Those Wawa customers who are impacted can check for more information in the company’s security breach notice.