Experts Analysis Of Wawa Breach Potentially Compromised 30 Million+ Payment Cards

In late December 2019, fuel and convenience store chain Wawa Inc. said a nine-month-long breach of its payment card processing systems may have led to the theft of card data from customers who visited any of its 850 locations nationwide. Now, fraud experts say the first batch of card data stolen from Wawa customers is being sold at one of the underground’s most popular crime shops, which claims to have 30 million records to peddle from a new nationwide breach.

Now, on the evening of Monday, Jan. 27, a popular fraud bazaar known as Joker’s Stash began selling card data from “a new huge nationwide breach” that purportedly includes more than 30 million card accounts issued by thousands of financial institutions across 40+ U.S. states. Two sources that work closely with financial institutions nationwide tell KrebsOnSecurity the new batch of cards that went on sale Monday evening — dubbed “BIGBADABOOM-III” by Joker’s Stash — map squarely back to cardholder purchases at Wawa.


EXPERTS COMMENTS
Mark Bell, EVP Operations,  Digital Defense
January 30, 2020
It’s hard to understand how a breach of this magnitude is still occurring in today’s card-present security environment.
This is why it is so important that merchants and card issuers need to fully adopt EMV chip and contactless technology to prevent card-present fraud on a scale such as this. Although the magnetic stripe likely will not go away for years to come, card readers should not allow the use of the magnetic stripe if a card is EMV chip-enabled. It’s hard to understand how a breach of this magnitude is ....
[Read More >>]
Robert Capps, VP ,  NuData Security
January 30, 2020
Many retailers and are suffering from PoS attacks as hackers deploy malware within the merchant payment ecosystem.
Many retailers and are suffering from PoS attacks as hackers deploy malware within the merchant payment ecosystem, in an effort to steal credit card information as consumers provide it. Once stolen, this card data, including card number, expiration date, CVV, and some consumer information, are sold on the dark web to hackers who are amassing this stolen information for counterfeit cards and card-n ....
[Read More >>]
Stuart Sharp, VP of Solution Engineering,  OneLogin
January 30, 2020
Whether or not these readers would have prevented the attack.
The recent focus by cybercrime groups on fuel dispenser merchants in the US highlights the fact that cybercriminal will target the weakest link. Defending against any type of computer-related crime must be based on a strategy of reducing risk. Companies can greatly likelihood that they will be a target of cybercriminals by taking some simple first steps. In Wawa’s case, this could have been to i ....
[Read More >>]
Sam Curry, Chief Security Officer,  Cybereason
January 30, 2020
Explanations for breaches of this sort in the payment card and financial services demand a little more than a form letter and business as usual.
It's become almost a reflex now: another letter in the mailbox, "we regret to inform you that due to a breach, your personal data may have been...." The number of identity compromises by this point is over 10 times the population of the United States, and yet life continues. The unthinkable has become the mundane and the routine. This still doesn't excuse the breaches. Fool me once, shame on you. ....
[Read More >>]
James McQuiggan, Security Awareness Advocate,  KnowBe4
January 30, 2020
Granted, it's a huge overhaul of all the POS systems at gas stations to get them upgraded to the new secure readers.
It's been a month since the Wawa breach was discovered that the card information is showing up as available for criminal hackers. At this point, it is unlikely that a lot of these card numbers will be sold because the Card Verification Value (CVV) information wasn't part of the data breach and thus makes them difficult to use in the wild. The intent of having the card information could be used for ....
[Read More >>]

If you are an expert on this topic:

Submit Your Expert Comments


In this article