American supermarket Wawa said on Thursday that it recently discovered malware that skimmed the payment card details of customers in almost all 850 stores.
The infection started rolling into the store’s payment processing system on March 4 and was only discovered on December 10, an opinion on the company’s website said. It took another two days for the malware to be completely embedded. The point-of-sale systems of most locations were affected on April 22, 2019, although the advice said that some locations might not be affected at all.
The malware collected payment card numbers, expiration dates and card holder names of payment cards that were used at “possibly all payment terminals and fuel machines in the store”. The advice did not say how many customers or cards were affected. The malware has not been able to access PIN codes, credit card CVV2 numbers, or driver’s license information that was used to verify age-restricted purchases. Information processed by ATMs in the store was also not affected. The company has hired an external forensic company to investigate the infection.
Thursday’s announcement came after Visa issued two security warnings – one in November and another this month – warning for skimming payment card malware at North American gas pumps. Card readers with self-service fuel pumps are particularly vulnerable to skimming because they continue to read payment data from the magnetic stripes of cards instead of card chips, which are much less sensitive to skimmers.
In the November opinion, Visa officials wrote:
The recent attacks are attributed to two advanced criminal groups with a history of large-scale, successful compromises against traders in different industries. The groups gain access to the network of the intended seller, move sideways within the network with the help of malware tool sets and ultimately focus on the seller’s POS environment to scrape payment card data. The groups also have close ties with underground cyber crime and are able to easily make money with the accounts obtained during these attacks by selling the accounts to the best cyber crime underground ticket shops.
The December opinion said that two of the three attacks had the characteristics of Fin8, an organized cyber crime group that has been targeting retailers since 2016. There are no indications that the Wawa infections are related to those in the Visa recommendations.
People who have used payment cards at a Wawa location must pay close attention to account statements in the past eight months. It is always a good idea to also regularly view credit reports. Wawa said it provides Experian with identity protection and credit monitoring from Experian for credit reporting for free. Thursday’s disclosure gives other steps that cardholders can take.