Security pros from threat intelligence firm Gemini Advisory revealed that hackers kept payment card details of Wawa’s customers on “Joker’s Stash” a dark web marketplace for trading stolen cards data. Researchers stated that hackers advertised the stolen card data as “BIGBADABOOM-III”, and the data belongs to 30 million Americans and over one million foreigners from more than 100 different countries.
It’s believed that Joker’s Stash contains debit/credit card details from the U.S., European, and global cardholders, including their geolocation data like state, city, and ZIP Code. In an official statement, Wawa confirmed that hackers tried to sell customers’ card information that breached in the security incident occurred on December 10, 2019.
“We became aware of reports of criminal attempts to sell some customer payment card information potentially involved in the previous Data Security Incident announced by Wawa on December 19, 2019. We have alerted our payment card processor, payment card brands, and card issuers to heighten fraud monitoring activities to help further protect any customer information. We continue to work closely with federal law enforcement in connection with their ongoing investigation to determine the scope of the disclosure of Wawa-specific customer payment card data,” the statement read.
Breach Overview
According to Chris Gheysens, Wawa’s CEO, the company discovered a malware payload in its payment processing systems on December 10, 2019. The security team at Wawa blocked the malware and believed that the malware no longer posed any risk to customers making payments at Wawa stores.
However, the malware affected the customers who made payments at Wawa stores and gas stations.Since March 4, 2019, the incident potentially affected 850 stores, which are operated by Wawa across the East Coast from Pennsylvania to Florida.
The exposed financial information included debit and credit card numbers, expiration dates, and cardholder names. However, PINs and CVV numbers were not exposed. The company also clarified that there is no evidence of any unauthorized use of exposed payment information.
Investigation Under Process
In a related incident, a class-action lawsuit was filed against Wawa Stores for failing to protect customers’ data. The lawsuit, which was filed in the U.S. District Court for the Eastern District of Pennsylvania, brought several people who claim they were impacted by the breach.
The lawsuit claimed that Wawa failed to secure its computer systems from hackers who installed malware that potentially affected Wawa’s payment systems. It also accused Wawa for breach of contract and violating consumer protection laws.