If your credit or debit card was among those captured by hackers who breached Wawa’s network last year, it’s probably now for sale on the dark web.
This week, hackers began advertising the card data for more than 30 million consumers who had used their cards at the East Coast convenience store chain. Experts at Gemini Advisory, a threat intelligence firm, say the source of the card data has been confirmed as coming from Wawa.
Wawa reported it had been the victim of a major data breach back in December. The chain said hackers had successfully placed malware in its point-of-sale systems, with more than 800 locations being affected.
Wawa said its security team found the malware on the company’s payment processing servers on December 10 and contained it two days later. The company says it brought in forensic investigators who determined that the malware began running at different times after March 4.
A record breach
What is now known is that the Wawa data breach may be one of the largest in history. Because it went undetected for so long, millions of customers used their payment cards while blissfully unaware that hackers were stealing their data.
The security experts at Gemini Advisory identified the marketplace for stolen Wawa data as Joker’s Shash, one of the largest dark web marketplaces trafficking in stolen credit card data. The data package was marketed under the name “BIGBADABOOM-III.”
“Since the breach may have affected over 850 stores and potentially exposed 30 million sets of payment records, it ranks among the largest payment card breaches of 2019, and of all time,” Gemini Advisory wrote in its blog.
It may be slightly larger than the 2013 breach of Target’s credit card network, which involved tens of millions of customers. Target paid $18.5 million to settle the issue with 47 states.
Most card data may go unsold
The firm said major breaches of this type often have low demand from customers on the dark web since credit card companies often act quickly to cancel compromised cards.
Wawa customers who used a payment card at any location between early March and mid December should carefully examine their bank and credit card statements during that time for unauthorized charges.
Customers should also notify the fraud departments of their card issuers to tell them the card was used at Wawa and may be potentially compromised. The institution may decide to issue new cards as a precaution.
When it announced the breach last month, Wawa said it would offer identity protection and credit monitoring services at no charge to affected customers. You’ll find information about signing up here.