Victor Wynne

Really, Wawa?


Kim Lyons:

“If you used your credit card or debit card to buy gas or pay for snacks at any Wawa convenience store, anytime in the past nine months, your card information may have been skimmed by malware. The Philadelphia-based gas and convenience store chain says it discovered the malware on its payment processing servers on December 10th, but it took quite a while for the company to notice – the malware may have affected all 700 of its locations across five states since March.”

Wawa makes a lot of money1 according to an Inc. report from last year. The sheer number of daily transactions make it a prime target for scammers and I’m honestly surprised this is only just now happening. The credit/debit card numbers, expiration dates and customers’ names were exposed but PIN and security codes weren’t which hints that at least some layer of security is in place and being well-kept. Regardless of a malware infection, I wouldn’t be surprised if the stolen data had been stored in plaintext.

I believe the people responsible for infecting Wawa’s servers didn’t really gain anything from doing so other than to prove that they could otherwise we would have heard about this long before now. That doesn’t excuse the extreme carelessness by the security team at Wawa though. It having to take nine months to discover the issue is downright appalling. Hopefully Wawa mitigates the error of their ways and moving forward will have regular external audits of their systems performed. Nothing is going to keep me from stopping in for a yellow cake donut a few times per year month though 😛.

  1. The 800 million annual customers spend nearly twice as much per visit compared to the industry average.