January 29, 2020
Hacked information from credit cards and debit cards of Wawa customers could be for sale on the dark web, a cybersecurity firm called Gemini Advisory said on Tuesday. The firm discovered the findings on the dark web marketplace called Joker’s Stash earlier this week.
Joker’s Stash is described as “one of the largest and most notorious web marketplaces for buying stolen payment card data.”
The firm said that the convenience store’s data breach potentially exposed 30 million sets of payment records and impacted over 850 stores, making it one of the largest data breaches of all-time.
Wawa put out a press release on Tuesday, saying that it “became aware of reports of criminal attempts to sell some customer payment card information.”
“We have alerted our payment card processor, payment card brands, and card issuers to heighten fraud monitoring activities to help further protect any customer information,” Wawa said in a statement. “We continue to work closely with federal law enforcement in connection with their ongoing investigation to determine the scope of the disclosure of Wawa-specific customer payment card data.”
Gemini Advisory’s report comes just a month after the popular convenience store suffered from a massive data breach that attacked payment systems at most—if not all—of its convenience stores in 2019.
The data breach potentially compromised customers’ credit and debit card information inside Wawa stores and at its gas pumps, as their locations were exposed to malware over the span of 10 months, starting in March 2019.
The convenience store chain believes credit and debit card numbers, expiration dates, and cardholder names were affected by the malware, but not debit card PIN numbers, credit card CVV2 numbers, ATM transactions, or driver's license information. The malware was finally contained on Dec. 12.
Wawa believes the malware had been present on a majority of its store systems by April 22, and that its information team identified the malware on Dec. 10, ultimately notifying law enforcement and payment card companies.
“We continue to encourage our customers to remain vigilant in reviewing charges on their payment card statements and to promptly report any unauthorized use to the bank or financial institution that issued their payment card by calling the number on the back of the card,” Wawa said in the statement. “Under federal law and card company rules, customers who notify their payment card issuer in a timely manner of fraudulent charges will not be responsible for those charges. In the unlikely event any individual customer who has promptly notified their card issuer of fraudulent charges related to this incident is not reimbursed, Wawa will work with them to reimburse them for those charges.”
As a result of the hack, Wawa is facing a class-action lawsuit over the data breach from at least six plaintiffs, including a New Jersey woman.