In a letter dated Dec. 19, the chain, which operates more than 850 stores in Delaware, Pennsylvania, Maryland, Virginia, New Jersey, Florida and Washington, D.C., said its information security team "discovered malware on Wawa payment processing servers" on Dec. 10.
By Dec. 12, the malware was "contained," and Wawa "immediately engaged a leading external forensics firm and notified law enforcement," the letter said.
"Wawa now understands that this malware began running at different points in time after March 4, 2019," the letter said. "Wawa took immediate steps after discovering this malware and believes it no longer poses a risk to customers."
Despite no longer posing a risk, anyone who used a credit or debit card at any Wawa store may have had their card number, expiration date and cardholder name stolen. The malware did not capture PIN numbers or CVV2 numbers, Wawa said.
Additionally, the ATM cash machines in Wawa stores were not impacted.
So far, Wawa said it is "not aware of any unauthorized use of any payment card information as a result of this incident."
Chris Gheysens, Wawa's CEO, apologized to customers in the letter.
"At Wawa, the people who come through our doors are not just customers, they are our friends and neighbors, and nothing is more important than honoring and protecting their trust," Gheysens said
. "I want to reassure anyone impacted they will not be responsible for fraudulent charges related to this incident."
Wawa will offer free identity protection and credit monitoring in light of the data breach, the letter said. Information to register for services can be found online.