The Wawa Credit Card Breach: What You Need to Know

A Wawa data breach has exposed the credit card information of customers to hackers. Photo by David Murrell.

Let’s get straight to the bad news: If you’ve shopped at Wawa any time in the past 10 months — which is to say, if you’re a Philadelphian — hackers might have the information from every credit card you’ve used there. That was the announcement that came Thursday when the company shared that it had fallen victim to a data breach affecting all 850 of its stores.

According to a letter from CEO Chris Gheysens, hackers managed to infiltrate Wawa’s payment processing servers on March 4th. Wawa didn’t discover the breach — which it now says is cleared up — until December 10th. I’m no math genius, but that sounds like a lot of at-risk hoagie sales.

How exactly did this happen? There are few specifics in the press release, but fortunately — or, rather, unfortunately — there’s a pretty common playbook for this sort of thing, says Matt Wilson, a cybersecurity expert at Philly BTB Security.

Typically, hackers send out emails with links or attachments containing malware, not unlike your run-of-the-mill phishing attempts. If an employee falls for the scam, the hackers might get access to, say, a corporate computer system. In theory, those corporate computers are supposed to entirely walled off from payment servers. But, either through sheer ingenuity or through company vulnerabilities, hackers often find a way through.

Take, for example, the point-of-sale breach that affected Target in 2013. In that instance, the hackers targeted a Pennsylvania business that built refrigerators for Target. From there, the malware jumped to an internal Target computer system monitoring the fridge temperatures, and from there it migrated to the payment center. All told, hackers got the credit card information of tens of millions of people, and Target ended up paying $18.5 million in settlement fees following an investigation.

But let’s get back to Wawa …

Why did it take so long to discover the breach?

People in the cybersecurity business use the phrase “dwell time” to denote the period between a breach and its discovery. Ten months sounds like a long time, but it’s not unheard of. According to one IBM analysis from this year, the average breach discovery took almost seven months.

It’s worth keeping in mind that Wawa isn’t the only entity here with a stake in weeding out fraud. Banks have their own fraud-detection systems as well. In fact, financial institutions are often the ones to tell merchants their data has been stolen. (According to Wilson, banks will even screen for fraud by purchasing stolen credit card numbers off the black market and checking to see if any of their own accounts are among them.)

But the notification didn’t come from the banks in this case. “That might indicate the bad guys have been sitting on the data,” says Wilson.

What was compromised?

According to Gheysens’s letter, credit and debit card numbers, names and expiration dates were all captured by the hackers. Anyone who paid at a gas pump or the in-store card reader could be affected. A Wawa spokesperson did not respond to a request for comment as to whether Apple Pay or Wawa app users were also exposed to the breach.

PIN numbers and three- or four-digit security codes weren’t stolen, but that doesn’t necessarily matter for the hackers, per Wilson. A three-digit code has only 999 possible answers, after all. “That sounds like lot to human,” he says. “To a machine, it’s nothing.”

Wawa says it is currently unaware of any fraudulent payments using the cards. That likely just means no one has yet come forward yet, Wilson says, and fraud analysts are now presumably working to separate legitimate transactions from potentially fraudulent ones. “It’s a needle-in-a-haystack problem,” he says.

What can customers do in the meantime?

For those affected by the breach, Wawa has set up a complimentary year of credit monitoring through Experian. You can register for that here, using the activation code 4H2H3T9H6.

Meanwhile, you can also order an online credit report, which screens for potential fraudulent activity. You can also put a fraud alert on your credit file, which would prevent anyone from opening up a new account in your name. Wawa has compiled all the relevant information on how to do that here.  (They also have set up a phone number you can call at 1-844-386-9559.)

Of course, you can also request entirely new credit card numbers, or you could ask your bank to set up two-factor authentication, which would require you to verify any payment through an email or text message.

The one thing everyone should do is review past credit card statements, and continue to monitor them to make sure nothing fraudulent shows up.