Wawa, a major East Coast gas station and convenience store chain admitted back in December 2019, that their systems were hacked. Other than that initial bit of news, there was nothing very noteworthy to cover. Unfortunately, it seems that the breach was worse than people thought as 30 million credit and debit card details suddenly went up for sale on a hacker forum.
This illegal credit card sale was discovered by cyber intelligence company Gemini Advisory. The credit card data of over 30 million individuals was up for sale at a popular forum called Joker’s Stash. This is a controversial site on the dark web that focuses on selling credit card details. A recent post detailed that they were selling data on 30 million American cardholders, along with one million foreign cardholders. That is a major breach and puts many people at risk. The original poster did not elaborate on the source of the data
Gemini Advisory carried out an investigation into the matter and said that they tracked it back to the December data breach from Wawa. The data includes everything linked to the credit cards. This includes geo-location, ZIP code, along with the cardholder’s state and city. This is enough to fake the use of the credit card.
As a taste, the post only uploaded 100,000 card details which had the general geo-location attached to them, though the finer details were not included.
Massive Credit Card Data Breach
Wawa was breached last year when malware infiltrated their point-of-sale systems. This allowed hackers to collect credit and debit card data as they passed through the system. This is big because Wawa operates 850 convenience store branches, with 600 of them doubling up to serve as gas stations. Considering how many people find it convenient to pay with a card swipe than cash, a large amount of data was collected.
With the recent hack gaining media attention, Wawa has released a statement confirming that they are aware of the sale attempts and are working with federal agencies to catch the criminals. They have asked customers to notify their card companies of any fraudulent charges. The company claimed that no debit card PIN numbers or CVV2 numbers were leaked nor was any other form of personal information accessed.
However, it seems that the data uploaded to the Joker’s Stash does include CVV2 numbers. Experts expect the data to start leaking from the forum over the next year, with pricing at $17 for each US card and $210 for international cards.