Cyber Incident Victim: Wawa

On December 19, 2019, Wawa publicly disclosed a payment card breach involving malware installed on its point-of-sale (POS) systems. The company's security team first detected the malware on December 10, 2019, and fully removed it by December 12, 2019. Forensic investigation revealed the malware had been present on Wawa's payment processing servers since March 4, 2019, with evidence suggesting it spread to most store systems by approximately April 22, 2019. The breach affected "potentially all" of Wawa's 860+ convenience retail locations across Pennsylvania, New Jersey, Delaware, Maryland, Virginia, Florida, and Washington, D.C., including approximately 600 locations with fuel pumps. The malware operated intermittently across different stores between March and December 2019, though some locations might not have been impacted.

The malware specifically targeted payment card data processed through in-store POS systems, collecting credit/debit card numbers, expiration dates, and cardholder names. It did not compromise debit card PINs, credit card CVV2 security codes, or driver's license information used for age-restricted purchases. ATM transactions at Wawa locations remained unaffected. The disclosure followed a Visa security alert about similar POS malware incidents at North American gas pumps. Wawa directed potentially affected customers to consult its security breach notice for additional information but did not specify the exact number of compromised payment cards. The incident represented one of the largest card-related breaches of 2019 given Wawa's extensive East Coast footprint and nearly year-long malware presence.