Wawa Breach May Have Affected More Than 30 Million Customers

Hefty collection of U.S. and international payment cards from the incident revealed in December found up for sale on dark-web marketplace Joker’s Stash.

A recent dump of payment card information being sold on a popular online fraud marketplace suggests that more than 30 million payment cards may have been affected by a malware attack and data breach at Wawa convenience stores and gas stations that was first revealed in December.

The Joker’s Stash marketplace–one of the largest and most notorious dark web marketplaces for buying stolen payment card data—began uploading card data Monday from a major breach dubbed “BIGBADABOOM—III,” researchers from New York-based fraud intelligence company Gemini Advisory revealed in a report.

“Gemini determined that the point of compromise for BIGBADABOOM-III is Wawa, an East Coast-based convenience store and gas station,” Gemini researchers Stas Alforov and Christopher Thomas wrote in the report, published Monday. “The company first discovered the breach on December 10, 2019.”

Joker’s Stash began advertising in December that it would upload a sizeable collection of U.S., European and global cards–including geolocation data listing the cardholder’s state, city, and ZIP Code–on Jan. 27. The marketplace boasted that the collection would include 30 million U.S. records across more than 40 states, as well as more than 1 million international  records from more than 100 different countries, researchers wrote.

Joker’s Stash apparently made good on its promise, but so far only has uploaded a portion of the entire haul, according to Gemini. The median price of U.S. payment-card records from the breach is currently $17, with some of the international records priced as high as $210 per card, researchers said.

“Apart from banks with a nationwide presence, only financial institutions along the East Coast have significant exposure,” Alforov and Thomas added.

The day after Gemini released its report, Wawa acknowledged that the company “became aware of reports of criminal attempts to sell some customer payment card information” from the December breach, according to a press statement.

“We have alerted our payment card processor, payment card brands and card issuers to heighten fraud monitoring activities to help further protect any customer information,” the company said. “We continue to work closely with federal law enforcement in connection with their ongoing investigation to determine the scope of the disclosure of Wawa-specific customer payment card data.”

While Wawa—which operates mainly in Delaware, Florida, Maryland, New Jersey, Pennsylvania, Virginia and Washington, D.C.—discovered the breach in December, bad actors were collecting data for almost 10 months using malware on Wawa’s in-store payment processing system, the company said at the time. The malware first infected in-store payment processing systems after March 4; by April 22, most store systems—more than 850 in total—had been affected.

While Wawa has the most locations in New Jersey and Pennsylvania, the highest exposure of cards on Joker’s Stash currently comes from Wawa locations in Florida, followed by Pennsylvania, according to Gemini.

Overall, the Joker’s Stash collection suggests that the Wawa breach has the dubious honor of being among some of the largest payment-card breaches of all time, joining other, more widely known retail companies, according to Gemini researchers.

“It is comparable to Home Depot’s 2014 breach exposing 50 million customers’ data or to Target’s 2013 breach exposing 40 million sets of payment card data,” Alforov and Thomas wrote.

While it remains to be seen the financial affect Wawa will feel from the breach, historically such incidents cost the companies affected a considerable sum of money. Home Depot, for instance, lost $43 million in investigation and recovery costs, and eventually agreed to pay $19.5 million in compensation for the more than 50 million cardholders affected by its 2014 breach.

In a spot of good news for Wawa customers who may have been affected by the December breach, payment-card dumps like the one found on Joker’s Stash are not in very high demand in the dark web world, Alforov and Thomas noted.

“This may be due to the breached merchant’s public statement or to security researchers’ quick identification of the point of compromise,” they wrote, adding that the marketplace uses the breaches for credibility or publicity purposes to maintain a reputation “as the most notorious vendor of compromised payment cards.”

Suggested articles