Wawa Data Breach Affects 30M Customers, Info Sold on Forum

Hackers put up 30 million payment information for sale on the internet carding fraud forum, Joke Stash. The information was reportedly put up last Monday, January 27, 2020, with Wawa payment details at risk.

Upon conducting an investigation, threat intelligence firm, Gemini Advisory, found that the payment and card details came from Wawa. In December 2019, the convenience store chain announced that hackers placed malware on its point-of-sale terminals. According to ZD Net, this allowed hackers to obtain card details of customers who bought at their stores and gas stations.

The massive data breach affected 860 retail convenience stores on the East Coast. Meanwhile, ZD Net reports that of this number, 600 stores which also doubled as gas stations were also compromised.

Wawa Data Breach


Dark Web Activities

A month after the announced Wawa data breach, Gemini Advisory found that personal information and data were sold on the dark web. The details were filed under the advertisement called, “Bigbadaboom-III.”

Based on the article released by CBS News, the Bigbadaboom-III ad promoted 30 million credit and debit information. These customer data from Wawa were reportedly obtained across 40 states and more than 1 million customers.

In a statement, Gemini Advisory said, “Major breaches of this type often have low demand in the dark web. This may be due to the breached merchant’s public statement or to security researchers’ quick identification of the point of compromise.”

The vulnerable information allegedly sold on Joker Stash includes credit card numbers, dates, and CVV. However, the retail giant maintains that CVV numbers were not exposed in the breach, notes ZD Net.

Other personal information that was safe also included PIN numbers and driver’s license information. In the same way, customers who only used the ATMs at the Wawa locations were safe from data collection activities.


Taking Precautions

The notice, posted on the alerts page of Wawa, announced that the payments processor utilized by the retail store will be more alert. It also recognized the customer data and card details found on Joker Stash.

In line with this incident, the convenience store chain is urging the public to review their financial statements. Unauthorized charges should also be reported to customers’ respective banks right away.

In a statement, Wawa said that “Under federal law and card company rules, customers who notify their payment card issuer in a timely manner of fraudulent charges will not be responsible for those charges.”