The Pennsylvania-based convenience store and food market chain said in a statement Thursday that its security team discovered a malware data breach dating back to spring 2019. The malicious code reportedly left traces on most in-store and fuel pump payment systems.
According to the company, the breach affected all of Wawa’s 850 locations, stretching along the US East Coast from New Jersey to Florida. The exact number of affected customers is not known.
Wawa suggested that the malware may have collected debit and credit card information from thousands of customers. In particular, the company clarified that debit card numbers, expiration dates and cardholder names may have been affected. Wawa assured customers that PIN numbers and credit card security codes were, however, not exposed.
Investigators have launched a probe into the incident. Wawa said it had engaged a forensics firm to conduct an internal investigation as well. The company claims that it has offered, as a reimbursement, certain free services for affected customers including credit card monitoring and identity theft prevention.