Wawa CEO Chris Gheysens apologizes to customers for data breach

PHILADELPHIA -- In an open letter, Wawa CEO Chris Gheysens is apologizing to customers for the data breach that affected potentially all of its stores.

"I apologize deeply to all of you, our friends and neighbors, for this incident. You are my top priority and are critically important to all of the nearly 37,000 associates at Wawa. We take this special relationship with you and the protection of your information very seriously," the letter posted to Wawa's website Thursday read.



Gheysens says those who shop at a Wawa are more than customers, they are "friends and neighbors."

"I can assure you that throughout this process, everyone at Wawa has followed our longstanding values and has worked quickly and diligently to address this issue and inform our customers as quickly as possible," Gheysens said.

In the letter, it was revealed that malware had been running on Wawa's in-store payment processing systems beginning at different points in time after March 4, 2019.

"This malware was present on most store systems by approximately April 22, 2019," Gheysens said.

Wawa's Information Security team discovered the malware on December 10 and contained it by two days later, according to Gheysens.



The CEO says payment card information, including credit and debit card numbers, expiration dates, and cardholder names on payment cards used at potentially all Wawa in-store payment terminals and fuel dispensers, was affected.

"Debit card PIN numbers, credit card CVV2 numbers (the three or four-digit security code printed on the card), other PIN numbers, and driver's license information used to verify age-restricted purchases were not affected by this malware," the letter read.

The company says ATMs and lottery terminals were not affected by the incident.

Gheysens said they believe the malware no longer poses a risk to customers using payment cards at Wawa.

On Friday, customers at a Wawa in Philadelphia's Roxborough section did not seem to care too muich about the breach.

"Just use cash," one customer said.

"There's a lot of worse things that could happen," said another.

Drexel University cyber security expert Rob D'Ovidio said because Wawa claims that PIN numbers, and CVV2 numbers weren't affected, customers may be at less risk of becoming victims of identity theft.

"In the grand scheme of things, I wouldn't say the sky is falling in terms of what is out there," D'Ovidio said.

If you happen to use mobile payment services, like Apple or Google Pay, cyber security experts say you're even less at risk to breaches like this one.

Wawa has set up a toll-free call center to answer customer questions at 1-844-386-9559. The company is also offering free credit monitoring and identity theft protection for anyone whose information may have been involved.

"Along with the nearly 37,000 Wawa associates in all of our communities, we remain dedicated to serving you every day and being worthy of your continued trust," Gheysens said.
Copyright © 2020 WPVI-TV. All Rights Reserved.