The year’s almost done but the data breaches keep on coming, and the latest involves East Coast convenience store and gas station operator Wawa Inc., which has suffered a point-of-sale hack.

The data breach affected all of Wawa’s 850 locations and involved the theft of customer names, card numbers and expiration dates both at gas pumps and inside pay stations. It was detected Dec. 10, though the malicious code used to steal the data on Wawa’s network dates back to March 4. The code was contained Dec. 12.

“At this time, we believe this malware no longer poses a risk to Wawa customers using payment cards at Wawa and this malware never posed a risk to our ATM cash machines,” Wawa Chief Executive Officer Chris Gheysens wrote in an open letter to customers.

Ticking off the standard list of responses to a data breach, Gheysens noted that the company had hired an external forensics firm to conduct an investigation and is working with law enforcement as part of a criminal investigation. For the hat trick, customers are being offered credit monitoring and identity protection without charge.

How many customers are affected or even how the infection took place was not disclosed, but it reads like a fairly typical network point-of-sale attack.

“The malware was active on Wawa’s payment systems for nine months before being identified and removed,” Alex Guirakhoo, strategy and research analyst at digital risk protection solutions firm Digital Shadows Ltd., told SiliconANGLE. “Given that Wawa operates over 800 stores in the U.S., the attackers were likely able to harvest a significant amount of financial data.”

Robert Capps, vice president of market innovation at behavioral biometrics company NuData Security, a Mastercard company, said POS systems infected with malware are a huge opportunity for cybercriminals to steal card data.

“Restaurants and chains must keep a sharp eye out for these intrusions with continuous monitoring and updating patches across the network,” Capps said. “To fight fraud after credit card information has been stolen, restaurants and other hospitality companies offering services in the card-not-present space need to identify customers additionally by analyzing their online behavior combined with hundreds of other identifiers that hackers can’t imitate or steal.”

Jonathan Knudsen, senior security strategist at electronic design automation firm Synopsys Inc., thinks the incident should a wakeup call for every business.

“Software is the critical infrastructure that supports nearly all of society, but unfortunately the responsibility for software security does not lie clearly with any one organization,” Knudsen said. “The inconvenient truth is that the vendor and the customer share responsibility. As with most other things, if you want it done right, you should do it yourself and adopt an attitude of ‘trust but verify’ with your suppliers.”

Photo: Wikimedia Commons