Wawa Investigating Data Breach

The malware attack may have compromised customer payment information at all locations.

December 20, 2019

ALEXANDRIA—Wawa’s CEO Thursday said the convenience retailer’s security team discovered malware on Wawa’s in-store payment terminals and fuel dispensers on Dec. 10 and contained the threat by Dec. 12.

“The malware affected customer payment card information used at potentially all Wawa locations beginning at different points in time after March 4, 2019, and until it was contained,” CEO Chris Gheysens said in an open letter to Wawa customers. “At this time, we believe this malware no longer poses a risk to Wawa customers using payment cards at Wawa, and this malware never posed a risk to our ATM cash machines.”

Gheysens said the retailer’s preliminary investigation indicates that the malware affected payment card information, including credit and debit card numbers, expiration dates and cardholder names on payment cards used at potentially all Wawa in-store payment terminals and fuel dispensers beginning after March 4, 2019 and ending on December 12, 2019.

Most locations were affected as of April 22, 2019; however, some locations may not have been affected at all, he said. The malware didn’t access debit card PIN numbers, credit card CVV2 numbers (the three or four-digit security code printed on the card) and other PIN numbers, nor did it access driver’s license information used to verify age-restricted purchases. The company said it isn’t aware of any unauthorized use of payment card information as a result of the breach.

Wawa has set up a call center to answer customer questions at (844) 386-9559. The retailer is also offering free credit monitoring and identity theft protection for anyone whose information may have been involved. Wawa also is offering potentially affected customers a year of identify theft protection at no charge through Experian.

“I apologize deeply to all of you, our friends and neighbors, for this incident,” Gheysens said in the letter. “You are my top priority and are critically important to all of the nearly 37,000 associates at Wawa. We take this special relationship with you and the protection of your information very seriously. I can assure you that throughout this process, everyone at Wawa has followed our longstanding values and has worked quickly and diligently to address this issue and inform our customers as quickly as possible.”

Visa Warns of Breaches
The news comes as the Visa Payment Fraud Disruption (PFD) said it has identified three unique attacks by sophisticated cybercrime groups targeting merchant point-of-sale (POS) systems. Two of the attacks targeted the POS systems of North American fuel dispenser merchants.

“It is likely these merchants are an increasingly attractive target for cybercrime groups,” Visa said in its security alert. Visa indicated cybercrime organizations are finding gas stations “increasingly attractive” because of a lack of secure acceptance technology (such as chip, point-to-point encryption, tokenization) and failure to comply with Payment Card Industry (PCI) standards, according to the Oil Price Information Service.

The VPFD found two unique attacks that target fuel dispenser retailers. In the first instance, the threat actors compromised the merchant via a phishing email sent to an employee. The email contained a malicious link that, when clicked, installed a Remote Access Trojan (RAT) on the merchant network and granted the threat actors network access. The actors then conducted reconnaissance of the corporate network and obtained and utilized credentials to move laterally into the POS environment. There was also a lack of network segmentation between the Cardholder Data Environment (CDE) and corporate network, which enabled lateral movement. Once the POS environment was successfully accessed, a Random Access Memory (RAM) scraper was deployed on the POS system to harvest payment card data.

In a second incident, VPFD identified a different compromise of another North American fuel dispenser merchant wherein threat actors targeted the merchant’s POS environment. The actors again obtained network access to the targeted merchant, although it is unclear how the actors gained this initial access before they moved laterally within the network to the POS environment. Finally, a RAM scraper was injected into the POS environment and was used to harvest payment card data. The targeted merchant accepted both chip transactions at the in-store terminals and magnetic stripe transactions at fuel pumps, and the malware injected into the POS environment appears to have targeted the mag stripe/track data specifically.

Cybercrime Group Suspected 
The company’s analysis determined that the compromise was likely the result of an operation conducted by the cybercrime group FIN8. The attack used a FIN8-attributed malware but also used new malware not previously seen employed by the group in the wild.

“It is important to note that this attack vector differs significantly from skimming at fuel pumps, as the targeting of POS systems requires the threat actors to access the merchant’s internal network and takes more technical prowess than skimming attacks. Fuel dispenser merchants should take note of this activity and deploy devices that support chip wherever possible, as this will significantly lower the likelihood of these attacks,” Visa concluded in its security alert.

Overall retail cyberattacks have been rising lately, with attempts jumping 20% last holiday season.

See “Ready or Not” in the December issue of NACS Magazine for information on how to upgrade payment systems at the pump to be EMV compliant.