Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
×
Privacy Security United States

Wawa Announces Data Breach Potentially Affecting More Than 850 Stores (6abc.com) 30

Wawa, a convenience store and gas station chain, notified customers Thursday of a data breach (Warning: source may be paywalled; alternative source) that collected debit and credit card information at potentially all of its more than 850 locations along the East Coast. It is now offering free credit monitoring and identity theft protection to those affected. The New York Times reports: Malware was discovered on Wawa payment processing servers on Dec. 10; it was blocked and contained by Dec. 12, the company said, adding that the malware no longer posed a risk to customers using cards to pay. Customer information including credit and debit card numbers, expiration dates and cardholder names on payment cards used in store and at fuel pumps was being collected as early as March 4, the company said. A.T.M.s inside stores were not affected. Debit card PINs, credit card security code numbers and driver's license information were also not part of the breach, the company said, adding that it was not aware of any unauthorized use of any payment card information because of the breach. After learning of the breach, Wawa initiated an investigation, notified law enforcement and payment card companies, the company said, adding that it had brought on board an external forensics firm for support. The company, which is based in Pennsylvania, established a dedicated call center to answer questions. "Today, I am very sorry to share with you that Wawa has experienced a data security incident," Chris Gheysens, Wawa's chief executive, said in a letter. Customers will not be responsible for any fraudulent charges on cards related to the data breach, he said. "I apologize deeply to all of you, our friends and neighbors, for this incident. You are my top priority and are critically important to all of the nearly 37,000 associates at Wawa."
This discussion has been archived. No new comments can be posted.

Wawa Announces Data Breach Potentially Affecting More Than 850 Stores

Comments Filter:
  • Now someone has found out about my hoagie addiction! Nooo!
  • If they didn't get the CVVs, PINs, or ZIP Codes, they don't have enough to make a transaction anymore...

    • by hey! ( 33014 )

      If you have enough cards, not having the CSC isn't a problem. Suppose you had 10,000 cards, and you tried transactions with random CSCs. Since ,most CSCs are only three digits long, you'd be right 1/1000 times, yielding 10 cards you can use. If you had several cracks at it, that might yield dozens of cards.

      This is the thing about this kind of crime; the success rate doesn't have to be high if you've got enough data.

      • by pellik ( 193063 )
        The people who perform this kind of hack aren't also using the cards, they are selling them. The value of a card without the other information is pretty low if it holds any value at all. Banks use some pretty powerful machine learning to watch for patterns. The thieves don't just attempt to make a purchase 10,000 times in a row with the same browser identity and same purchase information. There is a cost to attempting to use the stolen information that likely exceeds the value of that information. This kind
      • If you have enough cards, not having the CSC isn't a problem. Suppose you had 10,000 cards, and you tried transactions with random CSCs. Since ,most CSCs are only three digits long, you'd be right 1/1000 times, yielding 10 cards you can use. If you had several cracks at it, that might yield dozens of cards.

        This is the thing about this kind of crime; the success rate doesn't have to be high if you've got enough data.

        If the transaction requires a billing address then it's a no-go. No zip codes, no security codes, no dice.

        Need a zip to use at a pump, need a security code for online.

        If they have the zips of the store then the most likely outcome would be free gas cards on the dark web.

    • The only thing that solves it is a chip card which encrypts the whole thing from the card to the bank. Don't count on CVVs, PINs and so on to stop this from happening. Too easy to get around that, like writing the number to magnetic strips on cards. Magnetic strip should have gone away a long, long time ago. Another thing that needs to go away is printing the number on the card, putting the number on a slide out plastic strip would be an alternative. Printing the number just right on the card is extremely s

      • by MikeMo ( 521697 )
        Actually, Apple Pay completely resolves the issue. The CC# is not used in the transaction at all. There is nothing held by Wawa that can be used by a scammer. I go out of my way to use Apple Pay whenever possible because of this. Fortunately, Wawa does support Apple Pay and I use it there.
  • by Anonymous Coward

    Does this affect chip cards? Chip cards encrypt all the way from the card to the bank, correct? There are still magnetic cards but fewer and fewer. Chips were supposed to bethe sure thing to stop this from happening. The last major vulnerability is printed card numbers on the card itself. Perhaps these should be hidden behind a closable window or something that can be covered up with a slider.

    • > Does this affect chip cards?

      Yes, though less so. Basically, chips don't work on the internet or over the phone, so all chip cards also function as chipless cards.

      > Chip cards encrypt all the way from the card to the bank, correct?

      It's complicated, but mostly the chip allows the terminal to verify a physical card. It makes it harder to clone a card.

  • Is Google Pay safe? I use that at Wawa every week for gas. In store purchases are made with a gift card linked to a Privacy.com card.
  • The odd charges that showing up on my card after buying gas at a local wawa in early November. I just figured there was, likely, a skimmer as the lower panel was loose and, like a numbnut, I used the pump anyway. But, malware now seems more likely.

    This is the 4th breach (OPM & Equifax included) by large corporations that has compromised my credit card info. Iâ(TM)ve got credit monitoring monitoring my credit monitoring. So not amused.

    • by bobby ( 109046 )

      It turns out the conveniences of plastic payments, paying at the pump, etc., also make things more convenient for the criminals.

  • I went there once and came away with gas that made car my run like shit for two weeks.
    • I went there once and came away with gas that made car my run like shit for two weeks.

      Weird , you only usually see that kind of quality from Lukoil. The one closest to me has consistent problems with getting their pumps certified by weighs and means.

      • I suspect modern cars with their sensors and computer won't notice the difference except for less fuel mileage, it will adjust to the fuel characteristics. Mine is a classic with carb and distributor. YES ITS OLD!
        • I suspect modern cars with their sensors and computer won't notice the difference except for less fuel mileage, it will adjust to the fuel characteristics. Mine is a classic with carb and distributor. YES ITS OLD!

          Either that or they are selling you .95 gallons of gas and passing it off as a full gallon. Might seem trivial, but when you consider the fact that gas price wars often go to the second decimal place it could make all the difference.

        • by bobby ( 109046 )

          Okay, that is classic. What year?

    • Highly unusual. Wawa sells great quality fuels, gas and diesel, and they move so much of it that it is always fresh.

  • They fully disclose the breach and accept full responsibility.

    It will be a pain in the ass to cancel my cards and get them replaced, but as a Wawa customer, I actually feel good about Wawa in light of this. This shows genuine integrity on the part of Wawa.

    They turned a public relations disaster into, possibly, a positive branding move. All it took was a little bit of good social ethics.

    • Looks good on the face until you learn that the infections were from March 4 to December 10. Good PR but bad IT.
  • ... of any unauthorized use"? Seriously? With 37000 cards, it is nearly inevitable that some of them have been used for unauthorized transactions, whether related or not.

    So the only possible conclusion is that they tried very hard not to find any related unauthorized transactions. So why would we trust the rest of the statement?

  • I expected a whole bunch of “what the heck is wawa and why would anyone go to someplaced called that” kind of comments. I know when I got to NJ about 25 years ago I had no idea what Wawa was and thought it was the strangest name for a place.

    For those who don’t know, it’s now a huge chain of - as stated in the original post - gas and convenience stores. They are well known for having excellent quality, fresh made sandwiches and other food items, great coffee, and high quality fuel at

Do you suffer painful illumination? -- Isaac Newton, "Optics"

Working...