Wawa data breach: More than 30 million debit, credit card records put online for sale

Hemani Sheth Mumbai | Updated on January 29, 2020

Joker’s Stash, a fraud forum, has said data of US, European, and global cards, including geolocation, cardholder’s state, city, and ZIP Code would be sold

In one of the biggest card breaches reported till date, credit and debit card data of more than 30 million cardholders was leaked to be put online for sale, according to a report by a cyber intelligence company Gemini Advisory.

In a breach titled titled “BIGBADABOOM-III,” Joker’s Stash, one of the largest carding fraud forums on the dark web advertised that it had credit and debit card details of more than 30 million American cardholders and over one million foreign cardholders on Monday.

Gemini Advisory published a report detailing the data breach that identified the source of the breach as Wawa, an east coast-based convenience store and gas station chain.

Wawa data breach

Wawa had admitted to being hacked back in December 2019. Hackers had planted malware on Wawa’s point of sale systems, reported ZDNet. The malware enabled hackers to collect credit and debit card details of Wawa customers who had used the card at their convenience store or gas station.

The breach had impacted all of Wawa’s 850 convenience stores, of which 600 stores doubled as gas stations, ZDNet reported.

However, according to Gemini Advisory, the malware might have infected Wawa’s payment processing servers back in March 2019, way before it was discovered.

Data put up for sale

Joker’s Stash had announced that data of more than 30 million US, European, and global cards, including geolocation, cardholder’s state, city, and ZIP Code would be sold. This would include 30 million US records over the span of 40 states, according to the Gemini Advisory report.

However, the market place had uploaded a data set of only 100,000 cards, which included state geolocation information, but not the city or ZIP Code, the report said. The listed geolocation data showed that a lot of the details had been falsified and only six US states had appeared to be genuinely affected. Apart from US banks, the data also contained details from card-holders with bank accounts from  Latin America, Europe, and several Asian countries.

Wawa on Tuesday had issued a statement saying that it was aware of the “reports of criminal attempts” to sell card data online and was working with federal agencies to prevent the same. It also urged customers to notify their card company of any fraudulent charges.

According to the company, no information regarding card PIN numbers or CVV2 numbers was leaked.

“We also remain confident that only payment card information was involved, and that no debit card PIN numbers, credit card CVV2 numbers or other personal information were involved.  This incident did not impact ATM transactions,” the company had said.

However, according to a report by ZDNet, who obtained a sample of the data uploaded on Joker Stash, the data did include CVV2 numbers.

Joker’s Stash is expected to leak the remaining data over the next 10 to 12 months, according to a Bloomberg report.

The website priced US-issued records from the breach at $17, while the median price for international records was $210 per card.

If the online market place leaks the entire data, this could very well be one of the biggest card breaches of all time. Previously similar breaches had occurred at Home Depot and Target where millions of card records had been leaked.

Considering the recent increase in cyber-threats and card fraud, the Reserve Bank of India had recently announced changes to card payments that enables cardholders to switch on/off their card at will for different transactions at a number of places, including domestic, international PoS (point-of-sale), ATM, online (card not present) and contactless (such as Wi-Fi based), according to reports.

Published on January 29, 2020

Follow us on Telegram, Facebook, Twitter, Instagram, YouTube and Linkedin. You can also download our Android App or IOS App.

This article is closed for comments.
Please Email the Editor

You May Also Like