[BreachExchange] Wawa's massive card breach: 30 million customers' details for sale online

Wed Jan 29 10:02:08 EST 2020

https://www.zdnet.com/article/wawa-card-breach-may-rank-as-one-of-the-biggest-of-all-times/

On Monday, hackers put up for sale the payment card details of more
than 30 million Americans and over one million foreigners on Joker's
Stash, the internet's largest carding fraud forum.

This new "card dump" was advertised under the name of BIGBADABOOM-III;
however, according to experts at threat intelligence firm Gemini
Advisory, the card data was traced back to Wawa, a US East Coast
convenience store chain.

A month before, in December 2019, Wawa disclosed a major security
breach during which the company admitted that hackers planted malware
on its point-of-sale systems. Wawa said the malware collected card
details for all customers who used credit or debit cards to buy goods
at their convenience stores and gas stations. The company said the
breach impacted all its 860 convenience retail stores, of which 600
also doubled as gas stations.

According to Wawa, the malware operated for months without being
detected, from March 4 until December 12, when it was removed from the
company's systems.

ONE OF THE BIGGEST CARD BREACHES KNOWN TO DATE

This prolonged infection period, along with a massive compromise of
hundreds of different locations, appears to have allowed the criminal
group behind this hack to amass a huge trove of payment card details.

"Since the breach may have affected over 850 stores and potentially
exposed 30 million sets of payment records, it ranks among the largest
payment card breaches of 2019, and of all time," Gemini Advisory said
today when describing the breadth of the Wawa breach.

"It is comparable to Home Depot's 2014 breach exposing 50 million
customers' data or to Target's 2013 breach exposing 40 million sets of
payment card data," they said.

CARD DETAILS ARE FOR SALE FOR AROUND $17/CARD

Monitoring and analyzing network bandwidth performance and traffic
patterns can help you quickly detect and solve critical issues, such
as bandwidth hogs or underperforming devices. SolarWinds® Network
Bandwidth Analyzer Pack is designed to simplify...

Gemini Advisory said that after analyzing the data, the Wawa card dump
appears to include "30 million US records across more than 40 states,
as well as over one million non-US records from more than 100
different countries."

In a press release published today after Gemini Advisory published its
report, Wawa said it became aware that customer card data was now
being offered for sale online. The company also didn't contest the
accuracy of the Gemini Advisory report, effectively confirming that
the this week's Joker's Stash card dump came from its systems.

"We have alerted our payment card processor, payment card brands, and
card issuers to heighten fraud monitoring activities to help further
protect any customer information," Wawa said, also adding that it will
continue to work with law enforcement to investigate the hack.

The store chain also said "that only payment card information was
involved, and that no debit card PIN numbers, credit card CVV2 numbers
or other personal information were involved."

However, according to a sample of the Wawa card dump obtained by
ZDNet, the card dump did include CVV2 numbers, despite Wawa's claims.

Gemini experts said the Joker's Stash team is currently selling the
details of US-issued cards for $17 per card, on average, while data
for international cards is priced at a higher $210 per card.

"The Wawa breach aligns with Joker's Stash's tactic of adding records
stolen from large merchants in publicly disclosed major breaches only
after the breach is announced," the Gemini Advisory team said.

"Joker's Stash uses the media coverage of major breaches such as these
to bolster the credibility of their shop and their position as the
most notorious vendor of compromised payment cards."