A US conenience store, Wawa, said that it discovered malware that skimmed customer’s payment card data at nearly all of its 850 locations.
The infection began on the 4th of March, 2019 and was not discovered until December 10th, 2019. It took two days for the malware to be fully contained, and nearly all of Wawa’s locations were affected according to the advisory published on the company’s website.
The malware collected numerous details such as: payment card numbers, expiration dates and cardholder names from payments cards used at nearly all Wawa in-store payment terminals and fuel dispensers.
The malware didn’t access debit card PINs, credit card CVV2 numbers, or driver license data used to verify age-restricted purchases. Information processed by in-store ATMs was also not affected. The company has hired an outside forensics firm to investigate the infection.
Thursday’s disclosure came after Visa issued two security alerts—one in November and another this month—warning of payment-card-skimming malware at North American gasoline pumps. Card readers at self-service fuel pumps are particularly vulnerable to skimming because they continue to read payment data from cards’ magnetic stripes rather than card chips, which are much less susceptible to skimmers.
In the November Visa advisory, officials wrote:
The recent attacks are attributed to two sophisticated criminal groups with a history of large-scale, successful compromises against merchants in various industries. The groups gain access to the targeted merchant’s network, move laterally within the network using malware toolsets, and ultimately target the merchant’s POS environment to scrape payment card data. The groups also have close ties with the cybercrime underground and are able to easily monetize the accounts obtained in these attacks by selling the accounts to the top tier cybercrime underground carding shops.
People who have used payment cards at a Wawa location should pay close attention to billing statements over the past eight months. It’s always a good idea to regularly review credit reports as well. Wawa said it will provide one year of identity-theft protection and credit monitoring from credit-reporting service Experian at no charge. Thursday’s disclosure lists other steps card holders can take.