Popular East Coast convenience store chain Wawa announced Thursday that it found malware on payment processing servers that affected card information gathered from customers at potentially all of its locations.
The company said malware had been running sometime after March 4 and was present on most store systems by approximately April 22. Among the information collected was cardholder names, including credit and debit card numbers and expiration dates. Debit card PIN numbers, credit card CVV2 numbers, other PIN numbers, and driver’s license information used to verify age-restricted purchases were not affected, Wawa said. Additionally, ATMs located in Wawa stores were not affected.
“I apologize deeply to all of you, our friends and neighbors, for this incident,” Wawa CEO Chris Gheysens said in a release. “You are my top priority and are critically important to all of the nearly 37,000 associates at Wawa. We take this special relationship with you and the protection of your information very seriously.”
The company found the malware on Dec. 10 and removed it by Dec. 12. It also says it’s working with law enforcement in the wake of the incident.
The company is offering identity protection and credit monitoring services for free. Anyone affected by the breach can sign up for these via Wawa’s website.
Wawa has over 800 stores located in Delaware, Florida, Maryland, New Jersey, Pennsylvania, Virginia and Washington, D.C.