The company, which is based in Pennsylvania, said its team found malware on the servers that process payments on Dec. 10. Wawa said its team stopped the breach on Dec. 12, but the malicious software may have been collecting information since March 4.
The company said all of its 850 locations were affected. Wawa also said it doesn’t think any credit cards were used illegally because of the breach.
Fuel payments and in-store purchases were affected, but not ATMs. Wawa is getting in touch with customers and offering free credit card monitoring, as well as identity theft protection, to anyone who has been affected. The company also contacted the police and hired a forensics firm.
Wawa isn’t the only large company to be affected by a data breach recently. Last month, a data breach exposed the personal data of more than 1 million prepaid T-Mobile customers.
The information exposed did not include any financial information, Social Security numbers or password data. The cyber thief got users’ names, billing addresses, phone numbers, account numbers and plan information.
Data about rates and features are considered customer proprietary network information (CPNI). Under Federal Communications Commission (FCC) rules, telecommunication firms are required to promptly notify users when there is a breach.
In a disclosure to affected customers, T-Mobile said there was a data breach affecting prepaid data customers.
“Our cybersecurity team discovered and shut down malicious, unauthorized access to some information related to your T-Mobile prepaid wireless account,” the disclosure stated. “We promptly reported this to authorities. None of your financial data (including credit card information) or Social Security numbers was involved, and no passwords were compromised.”