Security pros from threat intelligence company Gemini Advisory revealed that hackers kept credit card details of Wawa’s clients on “Joker’s Stash,” a dark web market for trading stolen credit card data. Researchers mentioned that hackers advertised the stolen card’s data as “BIGBADABOOM-III,” and the data belongs to 30 million Us citizens and over one million foreigners from more than 100 different countries.
It’s believed that Joker’s Stash contains debit/credit card details from the United States, European, and global cardholders, which includes their geolocation data like state, city, and ZIP Code. Within an official statement, Wawa confirmed that hackers attempted to sell the client’s credit card info that breached in the security incident that occurred on December 10, 2019.
“We became aware of reports of criminal attempts to sell some customer card info potentially involved in the previous Data Security Incident announced by Wawa on December 19, 2019. We’ve alerted our credit card processor, card brands, and credit card providers to heighten scams monitoring activities to help further protect any customer information greatly. We continue to work closely with federal law enforcement in connection with their ongoing investigation to determine the scope of the disclosure of Wawa-specific client payment card data,” the statement read.
Regarding Chris Gheysens, Wawa’s CEO, the company found a malware payload in its payment processing systems on December 10, 2019. The security team at Wawa blocked the malware and believed that the malware no more posed any risk to clients making payments at Wawa stores.
However, the malware affected the clients who made payments at Wawa stores and gasoline stations. Since March 4, 2019, the incident potentially affected 850 stores, that are operated by Wawa over the East Coast from Pennsylvania to Florida.
The exposed financial information included debit and credit card numbers, expiration dates, and cardholder names. However, PINs and CVV numbers were not exposed. The company also clarified that there surely is no evidence of any unauthorized usage of exposed payment info.
Investigation Under Process
Within a related incident, a class-action lawsuit was filed against Wawa Stores for failing woefully to protect the client’s data. The lawsuit that was filed in the United States District Court for the Eastern District of Pennsylvania brought many people who claim the breach impacted them.
The lawsuit claimed that Wawa failed to secure its computer systems from hackers who installed malware that potentially affected Wawa’s payment systems. It also accused Wawa of breach of contract and violating customer protection laws.