About a month before Wawa disclosed a data breach exposing customers' credit and debit card numbers, the nation's largest credit card network warned that hackers were targeting gas stations to steal payment card information.
Visa reported in November that gas stations emerged as attractive targets for cybercriminals because many have been slow to adopt more-secure payment-processing technology. Specifically, Visa said the attacks could continue as long as gas stations used magnetic-stripe readers to accept card payments, instead of devices that take cards equipped with computer chips.
Wawa said this week that it is implementing chip technology at gas pumps and expects all pumps to be upgraded in 2020.
An investigation into Wawa's data breach is continuing, and it's unclear how malicious software got on Wawa's payment-processing servers. But Visa's warnings shed light on a concerning trend of hackers targeting vulnerable gas stations with sophisticated cyberattacks.
Visa said criminals used malware in two data breaches over the summer at North American gas stations. In the past, criminals had typically used less sophisticated means, such as hiding "card-skimming" devices inside fuel pumps to steal data one card at a time.
"Fuel dispenser merchants should take note of this activity as the group's operations are significantly more advanced than fuel dispenser skimming, and these attacks have the potential to compromise a high volume of payment accounts," Visa's fraud unit warned. "The deployment of devices that support chip will significantly lower the likelihood of these attacks."
In a statement, Wawa spokesperson Lori Bruce said the company took steps to protect payment information provided at gas pumps, including increasing the physical security of fuel dispensers to reduce the risk of skimming attacks. She added that Wawa follows data security standards for organizations that handle payment cards. Gas stations have until October to move to chip technology under a deadline set by credit card networks such as Visa and Mastercard.
"At Wawa, nothing is more important than honoring and protecting our customers' trust, and we take seriously our commitment to protect our customers' payment information," Bruce said. "We are continuing to work with leading forensic experts and law enforcement to investigate this incident and understand why it went undetected."
Wawa has said malware was on its store systems starting after March 4, about eight months before Visa warned of the attacks on Nov. 14. Wawa said it found the malware on Dec. 10 and contained it by Dec. 12, but by then cardholder names, numbers, and expiration dates used in-store and at gas pumps were compromised. The breach went undetected for roughly nine months.
Now the popular convenience store chain is facing a wave of lawsuits accusing the company of failing to protect consumers from the massive data breach affecting potentially all of its more than 850 stores. At least nine lawsuits seeking class-action status had been filed in federal court in Philadelphia as of Tuesday. Some Wawa customers say that their credit and debit cards were fraudulently used after the data breach.
"What is most shocking to me, and should be most appalling to everybody, is how long this went undetected. How did Wawa just find this recently?" said Ron Schlecht, managing partner at Bala Cynwyd, Pa.-based BTB Security. "They were obviously not monitoring at an appropriate level commensurate with their business volume and were unable to detect this anomalous activity."
Wawa, which is based in Wawa, Pa., has stores in six states – including Pennsylvania, New Jersey, and Delaware – and the District of Columbia. The company, which had more than $12 billion in sales in 2018, serves about 700 million customers annually.
The lawsuits suggest that millions of customers could have been affected by the breach.
In August and September, Visa investigated two breaches at North American gas stations in which hackers deployed malware to harvest payment card data. In one case, someone sent an employee a phishing email with a malicious link that, when clicked, installed a "Remote Access Trojan" on the company's network. Hackers eventually reached the firm's point-of-sale system and scraped payment card data.
In another case, the gas station accepted card chips in-store and magnetic stripes at fuel pumps. The malware used in that attack targeted the magnetic-stripe data, meaning payment cards used at fuel pumps were at risk.
"The Visa reports make clear that it is user gullibility that is the attack vector," Michael Levy, former chief of computer crimes at the U.S. Attorney's Office for the Eastern District of Pennsylvania, wrote in an email. "A network may be hardened against an outside assault, but if you can get an employee inside the company to click on a link, and that link causes the employee's computer to download malware, you have tunneled under the moat and (fire)wall. It was my guess that the perpetrators accomplished the Wawa breach in a similar fashion."
Visa said one of the attacks it investigated was likely launched by a cybercrime group called FIN8, which often targets retail, restaurant, and hospitality merchants to steal payment account data. Such groups have "close ties with the cybercrime underground" and are easily able to sell the account information obtained in the attacks, according to Visa.
Card chip technology is considered far more secure than magnetic stripes because it creates a unique, onetime-use code for each transaction, according to Visa. If that information is stolen and used to create counterfeit cards, the onetime use code would not work, preventing counterfeit fraud.
Although other merchants now accept chip cards, many gas stations are still upgrading. Visa and Mastercard gave gas stations more time to adopt chip technology at automated fuel pumps, from October 2017 to October 2020, citing "unique challenges" facing the industry. For example, older pumps may need to be replaced before adding chip readers, requiring specialized vendors and breaking into concrete, Visa said in 2016.
Wawa has said it will pay for a year of identity-theft protection and credit monitoring for affected consumers who visit experianidworks.com/credit or call 1-844-386-9559 (activation code: 4H2H3T9H6). The company has also told customers to closely review account statements for unauthorized charges. Under federal law, customers who notify their card company shortly after discovering fraudulent charges won't have to pay those charges.
Debit card pin numbers, credit card security codes, and driver's license information were not affected by malware and the attack posed no risk to ATMs, according to Wawa.
The convenience store chain is hiring help for its cybersecurity defenses. Wawa is looking for an "incident response associate" who will help with the "detection, response and remediation of cyber related attacks on the Wawa enterprise," according to a job posting on Wawa's website.
The job opening was published Dec. 3, a week before the company said it discovered the data breach.