Digital Transactions Authoritative, insightful and timely information for payments professionals
East Coast convenience-store and gas-station chain Wawa Inc. reported Thursday that it discovered malware on its payment-processing servers that may have affected all of its 850-plus locations. And at least two more municipalities using the Click2Gov online-payment platform recently have reported possible data compromises.
Wawa, Pa.-based Wawa said it discovered the malware Dec. 10 and “contained” it two days later. “This malware affected customer payment card information used at potentially all Wawa locations beginning at different points in time after March 4, 2019 and until it was contained,” chief executive Chris Gheysens said in a statement on Wawa’s Web site. “At this time, we believe this malware no longer poses a risk to Wawa customers using payment cards at Wawa, and this malware never posed a risk to our ATM cash machines.”
More than 600 of Wawa’s locations sell gas. The malware may have compromised not only in-store payments but also fuel-pump transactions.
At-risk information includes debit and credit card numbers, expiration dates, and cardholder names, but not PINs or CVV2 [card-verification value] numbers, according to a Wawa news release. “At this time, Wawa is not aware of any unauthorized use of any payment card information as a result of this incident,” the release says.
The company has notified law enforcement and hired a forensics firm to investigate the incident. Wawa operates in Pennsylvania, New Jersey, Delaware, Maryland, Virginia, Florida, and Washington, D.C.
Meanwhile, in Marietta, Ga., and Sugar Land, Texas, a Houston suburb, payment card data of residents using cards to make utility payments was at risk only if the customer made a one-time payment, not if they had enrolled their card in Click2Gov’s auto-pay feature for recurring payments, according to local media reports.
In Marietta, data on 8,000 customers who used cards for one-time payments between Aug. 26 and Oct. 26 may have been compromised, though no actual compromise has been confirmed, according to a local television news report. And Click2Gov provider CentralSquare Technologies of Lake Mary, Fla., notified Sugar Land officials Oct. 25 of a possible compromise, the Houston Chronicle reported. The duration and other details of the incident weren’t immediately available.
A CentralSquare spokesperson had not responded to a Digital Transactions News request for comment as of late Friday morning. Hackers hit more than 40 U.S. and Canadian towns using Click2Gov between 2017 and late 2018, according to a September analysis by New York City-based Gemini Advisory.
