Wawa Payment Data Breach May Have Affected All Wawa Stores

Wawa Payment Data Breach May Have Affected All Wawa Stores

Malware Discovered on Wawa In-Store Payment Processing Systems At Potentially All Wawa Locations – Massive Data Breach Affected Wawa Customer Payment Card Information 

On December 19, 2019, “An Open Letter from Wawa CEO Chris Gheysens to [Wawa] Customers” stated, among other things, that ” . . . Wawa . . . experienced a data security incident . . . on Wawa payment processing servers on December 10, 2019, and contained it by December 12, 2019.”  The CEO’s “Notice of Data Breach” also stated that the ” . . . malware affected customer payment card information used at potentially all Wawa locations beginning at different points in time after March 4, 2019 and until it was contained.”

According to Wawa’s data breach notice, “. . . at different points in time after March 4, 2019, malware began running on in-store payment processing systems at potentially all Wawa locations.  Although the dates may vary and some Wawa locations may not have been affected at all, this malware was present on most store systems by approximately April 22, 2019.  [Wawa’s] information security team identified this malware on December 10, 2019, and by December 12, 2019, they had blocked and contained this malware.” [Emphasis added.]

Further, Wawa’s data breach notice stated that the

malware affected payment card information, including credit and debit card numbers, expiration dates, and cardholder names on payment cards used at potentially all Wawa in-store payment terminals and fuel dispensers beginning at different points in time after March 4, 2019 and ending on December 12, 2019.  Most locations were affected as of April 22, 2019, however, some locations may not have been affected at all.  No other personal information was accessed by this malware.  Debit card PIN numbers, credit card CVV2 numbers (the three or four-digit security code printed on the card), other PIN numbers, and driver’s license information used to verify age-restricted purchases were not affected by this malware.  If you did not use a payment card at a Wawa in-store payment terminal or fuel dispenser during the relevant time frame, your information was not affected by this malware.  At this time, we are not aware of any unauthorized use of any payment card information as a result of this incident.  The ATM cash machines in our stores were not involved in this incident. [Emphasis added.]

In addition to the data breach notice, Wawa has provided FAQs and other Resources for its customers.

Have You Been Impacted by A Data Breach?

If so, please either contact Kehoe Law Firm, P.C. Partner Michael Yarnoff, Esq., (215) 792-6676, Ext. 804, [email protected], complete the form on the right or send an e-mail to [email protected] for a free, no-obligation case evaluation of your facts to determine whether your privacy rights have been violated and whether there is a basis for a data privacy class action.

Examples of the type of relief sought by data privacy class actions, include, but are not limited to, reimbursement of identity theft losses and of out-of-pocket costs paid by data breach victims for protective measures such as credit monitoring services, credit reports, and credit freezes; compensation for time spent responding to the breach; imposition of credit monitoring services and identity theft insurance, paid for by the defendant company; and improvements to the defendant company’s data security systems.

Data privacy class actions are brought on a contingent-fee basis; thus, plaintiffs and the class members do not pay out-of-pocket attorney’s fees or litigation costs.  Subject to court approval, attorney’s fees and litigation costs are derived from the recovery obtained for the class.

Kehoe Law Firm, P.C.