Is Wawa in hot water over its data breach?
Photo: Getty Images/gsheldon

Is Wawa in hot water over its data breach?

Popular regional convenience store chain Wawa has been scaling and modernizing quickly, but a big data breach could rattle its growing, ardent fan base.

On Dec. 19, Wawa posted a public notice of a data breach, detailing a long-term cyberattack and its potential impact on customers. The malware, which was discovered on Dec. 10, had potentially been running on all of the chain’s point-of-sale processing systems from March 4 onward, with most locations having been impacted by Apr. 22. By Dec. 12, Wawa was able to contain the malware, but all Wawa customers who used in-store payment terminals and fuel dispensers (not Wawa ATMs) at any of Wawa’s locations during the 10 month span of the attack are at risk of their data having been compromised. 

Credit/debit card numbers, expiration dates and cardholder names were potentially stolen. Wawa hired a forensics firm to investigate the breach, and in the notice pointed potentially impacted customers to resources they could use to address any issues arising from the breach.

In an interview with Newsweek, cybersecurity expert Liv Rowley points out that Wawa was likely still accepting the less secure magnetic stripe payment processing cards. That would mean the chain had yet to implement the EMV (chip) payment processing, which is more secure against this type of fraud. The technology, in use throughout Europe, was introduced in the U.S. in 2015.

While in the last five years news of data breaches has become commonplace to the point that they often don’t register with the public, incidents of this magnitude tend to make waves.

In 2017 credit reporting agency Equifax experienced a data breach compromising hundreds of millions of records, launching a public discussion about cybersecurity through the U.S. 

In retail, Target’s notorious 2013 Thanksgiving point-of-sale data breach became a PR disaster for the store as customers vented outrage against the chain and derided its slow response.

In 2017, Target paid a $18.5 million settlement to 47 states and the District of Columbia to resolve an investigation into the 2013 breach, according to NBC News. The chain estimated the total cost of the data breach at $202 million.

BrainTrust

"Most consumers are numb to such incidents and the free credit monitoring offers that will inevitably follow. At this point I have more monitoring services than I do creditors."

Dave Bruno

Director, Retail Market Insights, Aptos


"Note that most Wawa customers view their Wawa as family and with family the first mistake is often easily forgiven, not the same mistake twice."

Richard J. George, Ph.D.

Professor of Food Marketing, Haub School of Business, Saint Joseph's University


"The impact will be minimal. They will prove to their customers that they are safe and we can get our Philly Soft Pretzels and lower gas prices again."

Frank Riso

Principal, Frank Riso Associates, LLC


Discussion Questions

DISCUSSION QUESTIONS: Will Wawa experience a significant impact from the data breach and what might that impact be? Will Wawa need to take more steps to recover from the breach?

Poll

13 Comments
Oldest
Newest Most Voted
Inline Feedbacks
View all comments
Michael La Kier
Member
4 years ago

News of data breaches has, unfortunately, become commonplace. And with few exceptions, again, unfortunately the news of such attacks goes away within the next few news cycles. So, likely this will be a blip on the screen and the majority of Wawa’s loyal shoppers will still shop with them. With the coming of CCPA and other future privacy regulations, however, privacy issues may become more and more a part of the conversation.

Frank Riso
Frank Riso
4 years ago

The Wawa brand is a very strong one and so they will still do well once the steps to protect their customers are complete. The impact will be minimal. They will prove to their customers that they are safe and we can get our Philly Soft Pretzels and lower gas prices again.

Steve Montgomery
Steve Montgomery
Member
4 years ago

Wawa has an extremely loyal customer base. People refer to “my Wawa” in conversation wherever their stores are located. Will the data breach hurt? Yes, they always do, but I expect that the impact on the Wawa faithful will not be significant.

Dave Bruno
Active Member
4 years ago

Another day, another breach. Most consumers are numb to these incidents and the free credit monitoring offers that will inevitably follow. At this point, I have more monitoring services than I do creditors. As long as Wawa is perceived as having taken swift and appropriate action, I don’t expect any meaningful impact to the brand.

Al McClain
Member
Reply to  Dave Bruno
4 years ago

I agree with you, Dave, that the impact will be minimal. But, isn’t amazing and unfortunate that any retailers are still not chip-compliant and even more astounding how long it takes some retailers to find malware and how little protection they really provide consumers? Many of these businesses are extremely large and I think they have an obligation to provide better card and data security for their shoppers.

Paula Rosenblum
Noble Member
Reply to  Al McClain
4 years ago

Since consumers have no real skin in the game, I just don’t think they/we care.

Dave Bruno
Active Member
Reply to  Paula Rosenblum
4 years ago

Couldn’t agree more, Paula…

Kenneth Leung
Active Member
Reply to  Paula Rosenblum
4 years ago

Exactly, the impact to consumers are spread out and most of it is handled by the financial institutions who aren’t putting the pressure on retailers and treat it as a cost of doing business

Richard J. George, Ph.D.
Active Member
4 years ago

Wawa will endure minimal negative customer impact due to this data breach. Wawa customers refer to their stores as “My Wawa.” CEO Chris Ghysens’ letter to customers was a combination of transparency and empathy. Once the breach was found, I am told, Wawa went public within a couple of hours, saying and doing the right things.

The challenge to Wawa going forward is twofold: 1. Determining why it took so long to discover the breach, 2. Making the necessary capital and IT investments to prevent such a breach from occurring again. Note that most Wawa customers view their Wawa as family and with family the first mistake is often easily forgiven, not the same mistake twice.

Gene Detroyer
Noble Member
4 years ago

You get the notice from the retailer telling you of a breach and advising you to change all your passwords and maybe your email address. Frankly, I ignore those notices. I have enough trouble with my own passwords. Maybe one day I will be sorry, but no disasters yet.

For several years we have seen the headlines of massive data breaches. The numbers are mind boggling. But how many of us have sensed in any way we have been personally breached? This has become just plain ho-hum. It will not impact Wawa nor will it affect whoever is next.

Al McClain
Member
Reply to  Gene Detroyer
4 years ago

It’s “ho hum” unless you have your identity stolen. At that point, it becomes a crisis that is not easily fixed.

Gene Detroyer
Noble Member
Reply to  Al McClain
4 years ago

Very true.

Craig Sundstrom
Craig Sundstrom
Noble Member
4 years ago

No, nobody really cares … whether that’s good or bad I’m not sure. But back to Wawa itself: “popular” seems like an understatement. It’s my understanding the chain enjoys a cult-like following — Apple with fountain drinks, I guess — so it would be interesting to see a study evaluating if a store’s reputation/popularity has any impact on how a breach is perceived (my earlier comment that “nobody cares” notwithstanding).