Wawa breach: Over 30M payment records posted for sale on dark web

It could be one of the largest data breaches in American history

Payment and credit card information from more than 30 million Wawa customers was posted for sale Monday via the dark web forum Joker’s Stash, a website used by cybercriminals for fraud, according to several reports.

Continue Reading Below

WAWA SAYS DATA BREACH AFFECTED THOUSANDS OVER 10 MONTHS

The compromised card data listing was shared under a thread titled "BIGBADABOOM-III," and it was noted as “the most biggest (sic) breach for the last 5 years” in a screenshot captured by cybercrime research firm Gemini Advisory.

A screenshot of dark web forum Joker's Stash reveals a post claiming to have access to millions of payment records for sale. (Gemini Advisory)

Wawa was not named in listing, but Gemini Advisory and other publications have linked the sale attempt to the American convenience store and gas station chain’s breach. In a press release from Dec. 19, Wawa announced it had discovered malware that may have affected more than 850 stores and included payment records from March 4 and Dec. 12, 2019.

WAWA FACING LAWSUITS OVER DATA BREACH AT ALL OF ITS STORES

Wawa issued a statement Tuesday afternoon regarding the reported illegal sale. However, it has not been confirmed whether the Joker’s Stash post is legitimate or connected to the chain.

The Wawa convenience store chain says a data breach may have collected debit and credit card information from thousands of customers, Thursday, Dec. 19, 2019. (AP Photo/Matt Rourke, File)

“We have alerted our payment card processor, payment card brands, and card issuers to heighten fraud monitoring activities to help further protect any customer information,” officials at Wawa wrote. “We continue to work closely with federal law enforcement in connection with their ongoing investigation to determine the scope of the disclosure of Wawa-specific customer payment card data.”

WHAT IS CYBER INSURANCE AND WHY YOUR BUSINESS NEEDS IT

Wawa officials urged affected customers to remain vigilant in their transaction monitoring and report any fraudulent charges to authorities.

After discovering the malware in its system on Dec. 10, the breach was contained by Dec. 12, according to Wawa. The company stressed that payment records have not been at risk since.

GET FOX BUSINESS ON THE GO BY CLICKING HERE

“We also remain confident that only payment card information was involved, and that no debit card PIN numbers, credit card CVV2 numbers or other personal information were involved,” the statement continued for clarification. “This incident did not impact ATM transactions.”

Although limited information was obtained through the hack, Andrei Barysevich of Gemini Advisory told Fortune cybercriminals are still willing to pay for credit and debit card numbers. The median price for this info is $17 per card, according to Barysevich.

The cards could still be used at stores using older swipe technology.

CLICK HERE TO READ MORE ON FOX BUSINESS

The Federal Trade Commission estimates that as many as nine million Americans get their identities stolen each year. Moreover, a study from The Motley Fool reports that credit card fraud tripled between 2014 and 2018.