Convenience store Wawa recently found malware on the servers it uses to process payments at “potentially all Wawa locations,” according to CEO Chris Gheysens. The malware was discovered on December 10, and in a letter to customers on Thursday, Gheysens noted that it was contained by December 12. Customer payment card information used at Wawa stores between March 4 and December 12 could have been compromised.

The chain is offering customers free identity protection and credit monitoring services, which is a good start. Affected organizations should, at minimum, make sure to offer remediation and protection in the wake of a breach – however, over half of the respondents for 4iQ’s 2019 Identity Protection & Data Breach Survey felt more still needs to be done.