30 million payment cards could have been compromised in Wawa breach

Wawa revealed in December that payment data on the customers who visited the US retailer’s 850 locations could have been compromised in a hack.

Now the true scope of the breach could have been revealed as criminals claim to be selling 30 million records from the incident.

The fuel and convenience store retailer unveiled the hack on December 19, having initially discovered the malware in its systems on December 10. It said that its payment card processing systems had been compromised for nine months, triple the average time of three months hackers can stay undetected inside systems.

Debit and credit card data were among the compromised information although Wawa claimed that PIN codes and the three-digit security code on the back of credit cards were not exposed.

Now, fraud experts are saying that the batch of stolen payment data has been put on sale on a popular underground shop Joker’s Stash since Monday January 27, according to KrebsOnSecurity.

The seller reportedly said they were in possession of a data from “a new huge nationwide breach” that purportedly includes more than 30 million card accounts issued by thousands of financial institutions across more than 40 US states. The stash was dubbed BIGBADABOOM-III.

According to sources speaking with KrebsOnSecurity, this could be the data stolen from the Wawa breach.

When asked about the Joker’s Stash sale, Wawa issued a statement.

“We have alerted our payment card processor, payment card brands, and card issuers to heighten fraud monitoring activities to help further protect any customer information,” Wawa told KrebsOnSecurity. “We continue to work closely with federal law enforcement in connection with their ongoing investigation to determine the scope of the disclosure of Wawa-specific customer payment card data.”

“We continue to encourage our customers to remain vigilant in reviewing charges on their payment card statements and to promptly report any unauthorised use to the bank or financial institution that issued their payment card by calling the number on the back of the card.

“Under federal law and card company rules, customers who notify their payment card issuer in a timely manner of fraudulent charges will not be responsible for those charges. In the unlikely event any individual customer who has promptly notified their card issuer of fraudulent charges related to this incident is not reimbursed, Wawa will work with them to reimburse them for those charges.”

The Wawa breach news comes as 84% of business owners have named outside hackers as their biggest cybersecurity concern and just as Travelex, the foreign exhange company, stated that it has got its services fully back up and running after almost a month’s outage caused by a ransomware attack.

Enjoyed the story? 

Subscribe to our weekly RegTech newsletter and get the latest industry news & research

Copyright © 2018 RegTech Analyst

Investors

The following investor(s) were tagged in this article.