Incident Of The Week UPDATE: Wawa Customer Payment Card Data Found on Dark Web

Up To 30 Million Records For Sale From 2019 Data Breach

Add bookmark

Jeff Orr
02/13/2020

Payment Card Data For Sale

In December, an Incident Of The Week report highlighted the retail malware data breach of convenience and fuel chain Wawa.

The brand resurfaced recently issuing a press release acknowledging reports of criminal attempts to sell some customer payment card information potentially involved in the data security incident.

We originally highlighted a breach disclosure from convenience store brand Wawa due to malware capturing customer payment card data on in-store transaction terminals across most of its 850 locations Delaware, Florida, Maryland, New Jersey, Pennsylvania, Virginia and Washington, DC.

“We have alerted our payment card processor, payment card brands, and card issuers to heighten fraud monitoring activities to help further protect any customer information,” said the Wawa prepared statement. “We continue to work closely with federal law enforcement in connection with their ongoing investigation to determine the scope of the disclosure of Wawa-specific customer payment card data.”

See Related: The Most Read Content On Cyber Security Hub

Wawa Customer Payment Card Data Hits The Dark Web

The release refers to a report from Gemini Advisory researchers Stas Alforov and Christopher Thomas stating that details of 30 million payment cards were found for sale on a notorious dark web marketplace. Upon investigating, the researchers determined the point of compromise to be Wawa.

The demand for data from a major breach such as this is considered low in the dark web. Some believe that a merchant’s public statement notifying customers how to protect their personally identifiable information (PII) and secure credit assistance has a direct correlation to decreased value. However, the marketplace hosting the data dump is known to use media coverage of major breaches as validation of its credibility.

See Related: Retail Point-Of-Sale Malware Hits Landry’s Restaurant Group

Not All Data Incidents Are Created Equal

Data incident disclosures are increasingly common – some might say compulsory – even though unauthorized access may never have occurred. In the case of exposed databases, security researchers are utilizing tools to scan for known signatures of online servers. Simply because one is discovered and its owner identified, it doesn’t necessarily mean that data was exfiltrated.

In the case of malware delivery, the bad actors seem intent on collecting as much information as possible for the purpose of monetizing what was stolen. The recent pattern of behavior has been deploying malware on retail point-of-sale (POS) terminals that siphon payment card information before it is encrypted and transferred to the payment processor.

Increased Risk From Stolen Data Found In The Wild

As part of its initial investigation, an external forensics team hired by Wawa discovered that the malware began running at different points in time around April 2019. In the 8 months prior to the infection’s discovery, hackers had ample opportunity to amass a trove of customer information.

Though no customer PINs nor CVV data was involved, the online dump of payment card info also contained city, state and ZIP code details able to be geo-matched to the card owner.

See Related: All Incident Of The Week Reports

RECOMMENDED