If you’ve bought something with a credit or debit card from a Wawa convenience store in the last nine months, your personal information may have been swiped.
In a letter Thursday to customers, Wawa CEO Chris Gheysens said the information security team found malware on the servers that process the company’s payments “at potentially all Wawa locations” on December 10, but were able to get rid of it within two days. The company said it believes the malware no longer poses a risk to customers.
At this time, the chain said it wasn’t aware of any unauthorized use of payment card information. Gheysens said customers will not be responsible for any fraudulent charges on their cards.
The Philadephia-based chain has more than 850 convenience retail stores in Pennsylvania, New Jersey, Delaware, Maryland, Virginia, Florida, and Washington, DC, according to its website.
If you bought something with a card between March 4 and December 12, Gheysens said your information could be included in the data breach. Wawa’s ATM cash machines were not affected.
Based on the company’s investigation so far, credit and debit card numbers, expiration dates and cardholder names on cards used at in-store cash registers or gas pumps may have been compromised, according to Gheysens.
The letter said debit card PIN numbers, credit card CVV2 numbers (the three or four-digit security code printed on the card), other PIN numbers, and driver’s license information used to verify age-restricted items were not exposed.
Wawa is offering free identity theft protection and credit monitoring at no charge to its customers.