Wawa Data Breach Information

From Wawa (wawa.com) see below:

What Happened?

Based on our investigation to date, we understand that at different points in time after March 4, 2019, malware began running on in-store payment processing systems at potentially all Wawa locations. Although the dates may vary and some Wawa locations may not have been affected at all, this malware was present on most store systems by approximately April 22, 2019. Our information security team identified this malware on December 10, 2019, and by December 12, 2019, they had blocked and contained this malware. We also immediately initiated an investigation, notified law enforcement and payment card companies, and engaged a leading external forensics firm to support our response efforts. Because of the immediate steps we took after discovering this malware, we believe that as of December 12, 2019, this malware no longer poses a risk to customers using payment cards at Wawa.

What Information Was Involved?

Based on our investigation to date, this malware affected payment card information, including credit and debit card numbers, expiration dates, and cardholder names on payment cards used at potentially all Wawa in-store payment terminals and fuel dispensers beginning at different points in time after March 4, 2019 and ending on December 12, 2019. Most locations were affected as of April 22, 2019, however, some locations may not have been affected at all. No other personal information was accessed by this malware. Debit card PIN numbers, credit card CVV2 numbers (the three or four-digit security code printed on the card), other PIN numbers, and driver’s license information used to verify age-restricted purchases were not affected by this malware. If you did not use a payment card at a Wawa in-store payment terminal or fuel dispenser during the relevant time frame, your information was not affected by this malware. At this time, we are not aware of any unauthorized use of any payment card information as a result of this incident. The ATM cash machines in our stores were not involved in this incident.

What We Are Doing

As soon as we discovered this malware on December 10, 2019, we took immediate steps to contain it, and by December 12, 2019, we had blocked and contained it. We believe this malware no longer poses a risk to customers using payment cards at Wawa. As indicated above, we engaged a leading external forensics firm to conduct an investigation, which has allowed us to provide the information that we are now able to share in this letter. We are also working with law enforcement to support their ongoing criminal investigation. We continue to take steps to enhance the security of our systems. We have also arranged for a dedicated toll-free call center (1-844-386-9559) to answer customer questions and offer credit monitoring and identity theft protection without charge to anyone whose information may have been involved, which you can sign up for as described below.

What You Can Do

Customers whose information may have been involved should consider the following recommendations, all of which are good data security precautions in general:
•Register for Identity Protection Services. We have arranged with Experian to provide potentially impacted customers with one year of identity theft protection and credit monitoring at no charge to you. Visit the Experian IdentityWorks website to enroll: https://www.experianidworks.com/credit or contact Experian’s customer care team at 1-844-386-9559 (Monday – Friday, between 9:00 am and 9:00 pm Eastern Time or Saturday between 11:00 am and 8:00 pm, excluding holidays) ◦Provide your activation code: 4H2H3T9H6

•Review Your Payment Card Account Statements. We encourage you to remain vigilant by reviewing your payment card account statements. If you believe there is an unauthorized charge on your payment card, please notify the relevant payment card company by calling the number on the back of the card. Under federal law and card company rules, customers who notify their payment card company in a timely manner upon discovering fraudulent charges will not be responsible for those charges.

•Order a Credit Report. If you enroll in the Experian service (at the phone number above) we are offering, you will have access to activity on your credit report. In addition, if you are a U.S. resident, you are entitled under U.S. law to one free credit report annually from each of the three nationwide consumer reporting agencies. To order your free credit report, visit www.annualcreditreport.com or call toll-free at 1-877-322-8228.

•Review the Reference Guide. The Reference Guide below provides additional resources on the protection of personal information.

For More Information

Equifax Data Breach Settlement Information

The Federal Trade Commission (FTC) has information that will help credit unions and their members file a claim to collect benefits under a settlement that the FTC and others reached with Equifax. It is estimated that roughly half the country is eligible to make a claim against the settlement. Now, you can now find out if you were affected by the September 2017 breach and make your claim for benefits.

Start at ftc.gov/Equifax. There, you can use a tool to find out if your information – like your Social Security number (SSN) – was exposed in the breach, learn about benefits, and start your claim to get free credit monitoring and maybe even cash. If your info was exposed in the breach, the settlement will give you up to 10 years of free credit monitoring. That means you’ll get an alert whenever somebody checks your credit history, opens a new loan or credit card in your name, or says a payment is late. So, if somebody has, say, your SSN and tries to use it to get a loan, this free credit monitoring service would let you know right away. That’s the kind of information that might make a real difference when you apply for a job, try to rent an apartment, or apply for credit.

Check out ftc.gov/Equifax to learn more and be sure to file your claim by January 22, 2020.

I. What Happened

On July 29, 2017, Equifax discovered that criminals exploited a U.S. website application vulnerability to gain access to certain files. Upon discovery, we acted immediately to stop the intrusion. The company promptly engaged a leading, independent cybersecurity firm which has been conducting a comprehensive forensic review to determine the scope of the intrusion, including the specific data impacted. Equifax also reported the criminal access to law enforcement and continues to work with authorities. Based on the company’s investigation, the unauthorized access occurred from mid-May through July 2017.

II. What Information Was Involved

Most of the consumer information accessed includes names, Social Security numbers, birth dates, addresses, and in some instances, driver’s license numbers. In addition, credit card numbers for approximately 209,000 consumers and certain dispute documents, which included personal identifying information, for approximately 182,000 consumers were accessed. In addition to this site, Equifax will send direct mail notices to consumers whose credit card numbers or dispute documents with personal identifying information were impacted. We have found no evidence of unauthorized access to Equifax’s core consumer or commercial credit reporting databases.

Identity Theft Prevention Tips

We recommend that you remain vigilant for incidents of fraud and identity theft by reviewing account statements and monitoring your credit reports. You may obtain a free copy of your credit report from each company listed below once every 12 months by requesting your report online at www.annualcreditreport.com, calling toll-free 1-877-322-8228, or mailing an Annual Credit Report Request Form (available at www.annualcreditreport.com) to: Annual Credit Report Request Service, P.O. Box 105281, Atlanta, GA, 30348-5281. You may also purchase a copy of your credit report by contacting any of the credit reporting agencies below:

Equifax
PO Box 740241
Atlanta, GA 30374
www.equifax.com
888-766-0008

Experian
PO Box 9554
Allen, TX 75013
www.experian.com
888-397-3742

TransUnion
PO Box 2000
Chester, PA 19016
www.transunion.com
800-680-7289

If you believe you are the victim of identity theft, you should contact the proper law enforcement authorities, including local law enforcement, and you should consider contacting your state attorney general and/or the Federal Trade Commission (“FTC”). You also may contact the FTC to obtain additional information about avoiding identity theft.

Federal Trade Commission, Consumer Response Center
600 Pennsylvania Avenue NW, Washington, DC 20580; 1-877-IDTHEFT (438-4338)
www.ftc.gov/idtheft

Tips for Protecting your Information

We would like to remind you of the value of taking good security precautions. It is a good idea to develop strong and secure online passwords and to change them frequently. Below are a few tips for good password practices.

• Include numbers, symbols and letters.
• Use a combination of capital and lowercase letters.
• Do not use the same password across multiple sites.
• Do not store important passwords, such as your home banking password, in your email account.
• Monitor your accounts regularly for suspicious activity.

Report Suspicious E-mails

Internet scams are nothing new, and as more of us conduct our business online, we’re also becoming more business savvy in spotting suspicious e-mails. Unfortunately, the Internet scammers are becoming more sophisticated in their tactics, for example, creating fake websites which appear to be legitimate, but are actually designed to lure unsuspecting users into providing confidential information.

How the “PHISHERS” Lure You

Phishing (pronounced “Fishing”) is an online fraud technique used by criminals to entice you into to disclosing your personal information. One of the most common – and successful – techniques is to send you fake messages that mimic valid messages or websites from a company you trust, such as your financial institution, a credit card company, government agency, or online shopping site. The logos and the links all look correct.

Asking For Personal Information

Usually, the messages open by reporting a problem with your account, and will ask you to verify the following information:

• Name and online user name
• Address and phone number
• Social Security Number
• Account password or PIN
• Account number
• ATM/debit or credit card number
• Credit card validation code, (CVC). This is the code credit card companies use to authorize credit charges. American Express uses a 4-digit CVC number which appears on the front of your card, while Visa, MasterCard and Discover all use a three-digit number that is on the back.

Providing any of this information is the online equivalent of giving criminals the keys to your house. They can empty your financial accounts, run up charges on your credit cards or open fraudulent credit card accounts in your name. And it can take years to repair the damage to your financial integrity.

Suspicion = Protection

Be suspicious of e-mails that ask for personal information, and be alert to other common scams such as foreign lotteries, requests to transfer funds from overseas bank accounts and work-from-home opportunities.

• Delete any e-mail you don’t trust – even opening a “phishing” e-mail can plant a virus or spyware on your PC.
• Never send confidential information by e-mail. If you think you have been scammed and your confidential information compromised, contact your credit card companies and financial institutions immediately. Report it to the Federal Trade Commission . And contact all three credit reporting bureaus to have alerts placed on your credit reports.

• Equifax: equifax.com | 888.766.0008
• Experian: experian.com | 888.397.3742
• TransUnion: transunion.com | 888.909.8872

Remember, neither Motion nor any legitimate business will ever send you an e-mail asking for personal information. If you receive an e-mail that you’re suspicious of, don’t respond to it.

10 Ways to Protect Against Debit Card Fraud

1. Update your contact information with your financial institution. Your Credit Union can’t ask you about a suspicious charge unless it has your current phone number.

2. Copy the customer service phone number from the back of each of your debit or credit cards and keep this list in a separate location from your purse or wallet in case a thief steals the latter.

3. Let your financial institution and card issuers know your travel dates and destination. If your card gets swiped at an unusual location, the card issuer may decline the suspicious transaction.

4. Look out for ATMs that appear to be dirty or in disrepair. A fake machine may be set up to capture your card information.

5. Do not use ATMs with unusual signage, such as a command to enter your PIN twice to complete a transaction.

6. Watch out for ATMs that appear to have been altered. If anything on the front of the machine looks crooked, loose or damaged, it could be a sign that someone attached a skimming device.

7. Avoid using the ATM if suspicious individuals are standing nearby. Criminals may try to distract you as you use the machine to steal your cash, or watch as you type in your PIN.

8. Be aware that if your card gets stuck in the machine and someone approaches to help, it may be a scam. A criminal may be trying to watch as you enter your PIN code.

9. If your card gets stuck in the machine, call your financial institution promptly to report the incident.

10. As you key in your PIN, cover the keypad with your other hand to block anyone, or a camera, from viewing the numbers you type.

Important Note: Remember to check your balance on a regular basis. Federal law doesn’t protect debit cards to the same degree as credit cards when it comes to fraud. If you notify the bank within two days of discovering the card was lost or stolen, your loss is limited to $50. After two days, this amount jumps to $500, and after 60 days of receiving the statement with the fraudulent charges, your loss may be unlimited.

You can download a PDF of these 10 tips here.