Future Tense

Exactly How Bad Is the Wawa Data Breach?

A man fills up his car with gas at a Wawa gas station.
Wawa customers, like those from this gas station in Delaware, photographed in July, may want to take extra financial precautions. JIM WATSON/Getty Images

This is the first installment in our new series “How Bad Is This Hack?”

When I was in college, the 24-hour Wawa was a staple of late-night food excursions from the student newspaper newsroom. So the announcement this week that the Wawa chain’s systems were breached feels a little like a personal betrayal. Luckily for me, I have not set foot in a Wawa since graduating, because for the past nine months malware on the Wawa system has apparently been collecting customer names and credit card information. The breach began in early March and was only discovered in mid-December.

Here’s what we know about the breach:

Number of people affected: Still unclear. Could be as large as all of the customers between March or April and mid-December at the Wawa’s nearly 850 stores and gas pumps in the United States. But it’s not clear how many customers that is, or how many were actually affected, or even when the malware began operating at each Wawa location. Reportedly, “most locations” were affected by the malware by late April.

How’d the hackers do it? Malware was installed on Wawa’s payment processing servers and was used to exfiltrate customers’ names, credit card numbers, and expiration dates. It’s not clear how the malware first entered the Wawa system, or what vulnerabilities it took advantage of, but it seems to have been able to bypass the micro-chip payment card technology used to encode payment card transactions with a one-time pin and capable of evading detection for several months.

What should you do now if you think you may have been affected? The most important things to do are: monitor your credit card bill carefully, promptly report any fraudulent charges so they will be covered by your bank and you can replace your card, and freeze your credit so that it will be harder for anyone to steal your identity. Since it appears the only stolen information in this case is payment card numbers, freezing your credit isn’t absolutely necessary—but it never hurts. And your social security number and other information has probably been stolen in other breaches, so you might as well just do it.

Proposed remedy: Wawa has said it will offer one year of identity protection and credit monitoring services to affected customers. If you don’t already have equivalent ones from other breaches, you can certainly take advantage of those services by using the Experian Identity Works activation code provided by Wawa. But what Wawa really needs to do now is completely revamp its threat detection and monitoring systems which allowed this breach to go unnoticed for nine months. A free sandwich for everyone affected would also be a nice gesture.

How bad is this, on a scale of 1-5? 2. Overall, this is a concerning incident primarily because of how long it lasted, undetected, on Wawa’s systems, and how easily the perpetrators were able to spread it across all (or at least, many) of the chain’s stores  But any breach that only gets your credit card number is a relatively tame one these days—it’s the easiest piece of personal information to change.

Personal attachments to Wawa aside, this is not a breach worth getting too worked up over for individuals. You are unlikely to lose any money—or much time or energy—dealing with this. Our mechanisms for handling payment card fraud are fairly well-oiled and consumer-friendly at this point.

Wawa should be a little more concerned about the potential for lawsuits from issuing banks and payment networks who are responsible for covering fraud costs, given how long it took the company to figure out what was going on. We’ll know more as more technical details of the incident come to light—but the timeline does not look good for Wawa, nor does the fact that it was so easy for the intruders to parlay their access to the network into access to so many of the chain’s stores. To its credit, after discovering the breach on Dec. 10, Wawa was able to stop it, and notify people, relatively quickly. Wawa’s status as a cult convenience store could be a double-edged sword here. Wawa die-hards will keep going there for their sandwiches and coffee, but the nostalgia may taste a little less sweet.

Future Tense is a partnership of Slate, New America, and Arizona State University that examines emerging technologies, public policy, and society.