Wawa Customers’ Stolen Payment Card Information for Sale on the Dark Web

Yesterday, American convenience store and fuel services chain Wawa became aware that cybercriminals were attempting to sell their customers’ payment card information, which had been involved in a previous data security incident. The retailer immediately alerted their payment card processor and card issuers to heighten fraud monitoring activities. They are also continuing to work closely with federal law enforcement.

What Happened?

It is understood that at various periods during March and April last year, malware began running on in-store payment processing systems at potentially all Wawa locations. By April 22, 2019, the malware was present on most of Wawa’s stores’ systems.

Unfortunately, Wawa’s information security team only identified the malware mid-December 2019. However, they then rapidly blocked and contained all malicious software. They also swiftly initiated an investigation, notified customers, law enforcement agencies and payment card companies. Furthermore, Wawa engaged a leading external forensics firm to support their response efforts.

What Information Was Involved?

Based on Wawa’s investigation to date, the malware stole payment card information, including credit and debit card numbers, expiration dates, and cardholder names. Both in-store payment terminals and fuel dispensers were affected. However, it is possible that this was not the case for all locations. Some may not have been affected at all.

Wawa confirms that no other personal information was accessed. Thus, debit card or other PIN numbers, credit card CVV2 numbers (the three or four-digit security code printed on the back of the credit cards) and driver’s license information used to verify age-restricted purchases have not been stolen. In-store ATM cash machines were also not involved in the data breach incident.

Is This Data Now Being Sold?

Early this week, cybercriminals began selling millions of stolen payment card accounts on the dark web. Wawa is not named, but security experts are confident the retailer is the source. Data like this is typically worth about $17 per card. However, data from this type of breach is often in low demand. This is because hackers did not obtain CVV details and because of the case’s high profile and Wawa’s swift response.

Nonetheless, the criminals are offering over 30 million “perfect pure fresh data dumps” across 40+ US States stemming from a nationwide data breach. They also boast having over 1 million non-US records from more than 100 different countries.

If this were the case, the Wawa data breach would rank amongst the largest payment card breaches of all times. However, much of the data appears to have been falsified. Consequently, no more than 6 or 7 states seem to have been genuinely affected.

Wawa’s Response?

So far, Wawa has been very transparent about the incident and the various steps they are taking to remedy the situation and enhance the security of their systems.

As soon as Wawa discovered the malware on December 10, 2019, the retailer took immediate steps to contain it. By December 12, Wawa had blocked and contained it. Wawa then engaged a leading external forensics firm to investigate. The retailer is also closely working with law enforcement to support their ongoing criminal investigation.

Furthermore, Wawa wrote an open letter to their customers to explain what happened and offered their help. To provide help, they have launched a toll-free call center to answer customer questions. Moreover, Wawa has also offered free credit monitoring and identity theft protection to anyone whose information may have been involved in the breach.