On December 19, 2019, Wawa Inc., a convenience store chain headquartered in Pennsylvania, informed the public that it was investigating a data security incident. The CEO of the company explained in an open letter to Wawa customers that malware had been discovered on payment processing servers, allowing access to customer payment card numbers at potentially all Wawa store locations from March 4, 2019 to December 12, 2019. According to Wawa, the incident was contained and the malware blocked within two days of discovery; the company engaged forensics experts to investigate the incident, and informed the authorities.
In the CEO’s letter, Wawa offered one year of identity theft protection and credit monitoring through a major credit reporting organization at no charge to affected customers, and opened a toll-free line to answer customer questions.
On January 28, 2020, Wawa provided an update, disclosing in a press release that it had become aware that criminal elements were attempting to sell Wawa customer payment card information for as many as 30 million individuals.
Wawa noted in both the December and January communiques that it is working with law enforcement in connection with the criminal investigation of the incident.