WAWA, Penn.—The Wawa data breach appears to be bigger than originally reported and may include up to 30-million consumer records.
As CUToday.info reported here, in late December the convenience store chain said a nine-month-long breach of its payment card processing systems may have led to the theft of card data from customers who visited any of its 850 locations nationwide.
Now, fraud experts say the first batch of card data stolen from Wawa customers is being sold at one of the underground’s most popular crime shops, which claims to have 30-million records to peddle from a new nationwide breach, Krebs on Security reported.
“On the evening of Monday, Jan. 27, a popular fraud bazaar known as Joker’s Stash began selling card data from ‘a new huge nationwide breach’ that purportedly includes more than 30-million card accounts issued by thousands of financial institutions across 40+ U.S. states,” Krebs stated.
New Batch of Cards for Sale
Two sources that work closely with financial institutions nationwide told KrebsOnSecurity the new batch of cards that went on sale — dubbed “BIGBADABOOM-III” by Joker’s Stash — map squarely back to cardholder purchases at Wawa, Krebs said.
On Dec. 19, Wawa sent a notice to customers saying the company had discovered card-stealing malware installed on in-store payment processing systems and fuel dispensers at potentially all Wawa locations. Wawa says it discovered the intrusion on Dec. 10 and contained the breach by Dec. 12, but that the malware was thought to have been installed more than nine months earlier, around March 4.
The exposed information includes debit and credit card numbers, expiration dates, and cardholder names. Wawa said the breach did not expose personal identification numbers (PINs) or CVV records (the three-digit security code printed on the back of a payment card).
Company’s Response
Krebs said a spokesperson for Wawa confirmed the company became aware of reports of criminal attempts to sell some customer payment card information potentially involved in the data security incident announced by Wawa on Dec. 19.
“We have alerted our payment card processor, payment card brands, and card issuers to heighten fraud monitoring activities to help further protect any customer information,” Wawa said in a statement released to KrebsOnSecurity. “We continue to work closely with federal law enforcement in connection with their ongoing investigation to determine the scope of the disclosure of Wawa-specific customer payment card data.”