Wawa, a convenience store chain across the East coast of the United states, was subjected to a malware attack at the end of 2019, exposing customer payment data card information.
The Philadelphia-based chain has over 850 different Wawa convenience stores across Pennsylvania, New Jersey, Delaware, Maryland, Virginia, Florida, and Washington, DC.
What happened in the Wawa payment card data breach?
Wawa discovered malware on its company payment processing servers back on December 10. In a letter to customers after the breach was announced, the CEO of Wawa, Chris Gheysens, claimed that the issue affected ‘potentially all Wawa locations’. That amounts to over 850 separate physical convenience stores around America.
The silver lining in the breach comes as Wawa claim they were able to remove the malware within two days of finding it on their systems. They now say that they are confident there is no further risk posed to customers due to this breach.
Can customers take legal action against Wawa for the payment card data breach?
On December 26, customers who had their payment card data breached from the Wawa attack filed a lawsuit against the company. They claimed that Wawa was negligent in the way that customer data was protected and that more aggressive steps should have been taken to protect it. It was further claimed that the results of the breach would now inconvenience customers further, as they must put time into “closing out and opening new credit or debit card accounts, ordering replacement cards, obtaining fraud monitoring services, resolving loss of access to cash flow and credit lines, monitoring credit reports and accounts.” The lawsuit was filed in federal district court in Philadelphia just after Christmas.
How was Wawa breached?
The information relating to how Wawa was breached has not been released, however, these kinds of payment card data breaches usually follow a similar pattern. Typically, attackers will trick companies or company employees into downloading the malware themselves via phishing emails. These are emails send to someone at the company, designed to look like something official, but laced with malicious links or attachments that download the malware. Once this malware code is inside the company system, it can be extremely difficult to detect unless a routine malware check is conducted. This would explain how this particular attack went unnoticed for nine months in total.
What was compromised in the payment card data breach?
Of course, as with any payment card data breach, customer payment card information was exposed in the incident. Wawa have admitted that the breach may have exposed/affected the following personal information: credit card numbers, debit card numbers, expiration dates and cardholder names. While the Wawa ATMs were apparently not affected, cards used at the gas pumps or at the registers in-store may have been. Information that was apparently not exposed includes credit card CVV2 numbers (security code), PIN numbers, and driver’s license information.
What did Wawa CEO Chris Gheysens say?
In an apology statement, Gheysens said: ‘Today, I am very sorry to share with you that Wawa has experienced a data security incident. I apologize deeply to all of you, our friends and neighbors, for this incident. You are my top priority and are critically important to all of the nearly 37,000 associates at Wawa. We take this special relationship with you and the protection of your information very seriously. I can assure you that throughout this process, everyone at Wawa has followed our longstanding values and has worked quickly and diligently to address this issue and inform our customers as quickly as possible.’
What should Wawa customers do now? How to know if your information was breached
It has been revealed that cards used at any Wawa location between the dates of March 4 and December 12 in 2019 may have been affected by the breach. Any customer who used their card at a Wawa gas pump or in-store register during this time should be aware of the breach.
Gheysens claims that the company is not aware of any unauthorised misuse of the payment card information. However, customers should remain vigilant and be on the lookout for any suspicious card or bank account activity.
Wawa has been quick to reassure anyone impacted that customers are in no way responsible for fraudulent charges on their cards as a result of this breach. According to federal law, if a customer discovers fraudulent charges and notifies their card company shortly after, they will not have to cover the cost of said payments.
By way of an apology and to help keep their customers safe, Wawa is now offering identify theft protection and credit card monitoring services to their customers for free.
Sam Rubin, the Vice President of incident response and risk management firm Crypsis Group, acknowledged that Wawa reacted sensibly to the attack, but they are just the latest in a long line of victims.
He said: “These sorts of large-scale credit card incidents illustrate just how sophisticated threat actors have become. Wawa is another victim in the ongoing battle against the multi-billion-dollar eCrime industry. The skill and determination brought to bear in this type of attack is what makes them so hard to prevent. The attackers were not only able to penetrate Wawa’s networks, they were also able to move laterally across hundreds of stores to identify payment card systems, obtain access credentials, and exfiltrate data. They did all of this while staying undetected for many months.
“Wawa took many of the right steps with this incident, including moving rapidly toward containment, beginning forensic investigation, notifying law enforcement, and proactively communicating with their customer base. Often, we see the communications element missing in these cases, which can lead to further damage to brand and reputation.
“These sorts of malware incidents are becoming increasingly common and difficult to protect against, with expanding attack surfaces, enterprise complexity, and growing malware sophistication. What is becoming make or break for enterprises is ensuring they have appropriate incident response plans, following those plans, and, as an element within them, being very proactive with the public regarding communications.”
What should Wawa do now to prevent further attacks?
While reacting and responding to the attack itself was Wawa’s number one goal, they must now take the time to reflect and take proactive steps to ensure it does not happen again. This could come in the form of employee education regarding phishing emails, more regular malware checks, or as Comforte AG’s Jonathan Deveaux says, security tokenization.
Deveaux, who works as the head of enterprise data protection at Comforte AG, said: “The example of malware running undetected at Wawa stores proves why info security professionals need to seriously consider protecting data with security tokenization. Details are unclear regarding the type of malware installed on the Wawa payment processing servers, however, if the payment card data was protected in real-time with security tokenization, exfiltration of data from Wawa databases would have contained worthless tokens for the bad actors. Instead, when data is left in its clear-text form, credit and debit card numbers are exposed, which can put millions of payment card holders in a bad position.”
Is the payment card data breach being investigated?
Soon after discovering and nullifying the attack, Wawa reported the large-scale payment card data breach to the FBI. The company claims it does not know who launched the attack on them or how it went undetected for nine months. It remains to be seen whether the FBI can track down those responsible for the attack.