Payment Cards Exposed in Wawa Breach Offered for Sale on Dark Web

Posted on January 29, 2020
PLEASE_READ_ME Ransomware Campaign Targeting MySQL Servers
Digital criminals posted customers' payment card details exposed in the 2019 Wawa data breach for sale on a dark web marketplace. In December 2019, the Joker's Stash first announced what it called the "BIGBADABOOM-III" breach. Advertisements posted by the dark web marketplace announced that the breach included over 30 million payment card details exposed in a nationwide security incident that allegedly affected over 40 states. They said that the breach also contained an additional one million payment card records from Europe, Asia and elsewhere.
Wawa_img1-scaled-1.jpg
One of the Joker's Stash announcements for BIGBADABOOM-III. (Source: Gemini Advisory) Upon learning of BIGBADABOOM-III, Gemini Advisory decided to investigate the origins of the breach. The security firm ultimately traced its point of compromise to a 2019 security incident involving Wawa. Back in mid-December, Wawa announced that it had discovered malware on its payment processing systems earlier in the month. A subsequent investigation determined that the malware could have exposed as many as 30 million payment cards used at all 850 of Wawa's U.S. gas station and convenience store locations between March 4, 2019 and early December, 2019. Gemini Advisory analyzed the initial set of data released for BIGBADABOOM-III and found that it contained approximately 100,000 records. Most of those linked back to cardholders located in the United States, with Florida and Pennsylvania receiving the greatest share of the exposure. A minority of cards belonged to consumers in Latin America, Asia and elsewhere. The average price of a U.S. record offered in the breach was $17, while international records went for as high as $210. In a blog post detailing its findings, Gemini Advisory explained that BIGBADABOOM-III fit the model of what Joker's Stash has done with some of its other advertised breaches:
Notably, major breaches of this type often have low demand in the dark web. This may be due to the breached merchant’s public statement or to security researchers’ quick identification of the point of compromise. However, JokerStash uses the media coverage of major breaches such as these to bolster the credibility of their shop and their position as the most notorious vendor of compromised payment cards.
Consumers who used their payment card at a Wawa location during the time of compromise should continue to review their financial statements for fraudulent transactions. If they detect anything suspicious, they should alert their card issuers as soon as possible.
Join over 20,000 IT security pros who get our top stories delivered to their inbox every week!