Wawa says malware harvested customers' credit card data for months

Wawa, a chain of convenience stores and gas stations in the US, has disclosed the discovery of malware on its payment processing servers. The company said its security team found the intrusion on December 10 and had it fully 'contained' by December 12, though it spent months harvesting payment card data until then. The malware may have been able to nab debit and credit card numbers as well as the cardholder's name and its expiration dates.

According to Wawa, the malware started running on its payment processing servers after March 4. This took place 'at different points in time,' according to the company, which says the security breach impacted its in-store payment processing systems. This malware may have affected all of the Wawa store locations, according to the company, which says the malware had reached most of its store system by around April 22.

The information collected by the malware was somewhat limited. Though it was able to grab the cardholder's name, card number, and expiration date, Wawa says the attackers weren't able to get things like credit card digital security codes, PINs, or driver's license data. Cards used both in-store and at the fuel pumps during these times were potentially compromised.

Based on its investigation, Wawa says this malware isn't likely to still be active in any of its stores. Law enforcement was notified and is investigating. The company is providing one year of free credit monitoring and identity theft protection from Experian to impacted customers for free.

The announcement comes only days after Visa's own security team issued a statement alerting the public to three separate instances of malware targeting the payment processing networks of major gas station chains. The report didn't name any of the impacted companies, meaning there's no way to know whether Wawa — which operates some of its own fuel dispensers — was one of the affected businesses.