30 Million Potential Wawa Customers' Details up for Sale on Joker’s Stash

30 Million Potential Wawa Customers' Details up for Sale on Joker’s Stash

  • The dump includes 30 million US records across more than 40 states and over one million non-US records from more than 100 different countries.
  • Hackers were reportedly selling the details of US-issued cards for $17 per card while data for international cards were priced at a higher $210 per card.

A massive database containing data from 30 million customer payment cards was put up for sale on the infamous Joker’s Stash dark web forum.

What happened?

Researchers have traced back the data dump to Wawa Inc breach from December 2019.

  • A new "card dump" appeared under the name of BIGBADABOOM-III on Joker’s Stash earlier on Monday.
  • Experts at threat intelligence firm Gemini Advisory revealed that the card data could be traced back to Wawa, a US East Coast convenience store chain.
  • Hackers were reportedly selling the details of US-issued cards for $17 per card (on average) while data for international cards were priced at a higher $210 per card.

Back-story of the Wawa breach

Wawa Inc had disclosed a major security breach on its point-of-sale systems in December 2019.

  • The company said the actors managed to collect card details for all customers who used credit or debit cards to buy goods at their convenience stores and gas stations.
  • The breach had hit all of its 860 convenience retail stores, of which 600 are included with gas stations.
  • The malware operated for months from March 4 until December 12. It was removed soon after coming to the notice of the authorities.

More from the advisory

According to Gemini Advisory, the breach can be listed among the largest payment card breaches of 2019, and of all time.

  • The dump includes 30 million US records across more than 40 states and over one million non-US records from more than 100 different countries.
  • The breach incident was compared to Home Depot's 2014 breach which exposed 50 million customers' data.
  • It was also equated with the Target's 2013 breach which exposed 40 million sets of payment card data.

What was the respone from Wawa?

After the Gemini Advisory report, Wawa acknowledged the fact that customer card data was now being sold online on the dark web.

  • The company, however, didn't comment or associated itself with the Gemini Advisory report.
  • It said to have alerted the company’s payment card processor, payment card brands, and card issuers to heighten fraud monitoring activities.
  • The firm also noted that it will continue working with law enforcement to investigate the hack.