#Privacy: Over 30m payments cards exposed from Wawa breach currently on sale

More than 30 million payment cards stolen from a 2019 breach at convenience store chain Wawa are for sale on the dark web. 

In late December last year, Wawa disclosed a major security breach whereby malware had been found on its payment processing servers. 

An investigation revealed that the malware had been running at different points in time after March 4, 2019. The malware had collected card details for all customers who used either debit or credit cards to buy goods at any of its 850 stores. 

According to Gemini Advisory, one of the largest and most notorious dark web marketplaces for buying stolen payment card data, The Joker’s Stash, has began uploading records from the Wawa breach, titling it “BIGBADABOOM-III”, and appearing in four different bases.

“Since the breach may have affected over 850 stores and potentially exposed 30 million sets of payment records, it ranks among the largest payment card breaches of 2019, and of all time. It is comparable to Home Depot’s 2014 breach exposing 50 million customers’ data or to Target’s 2013 breach exposing 40 million sets of payment card data,” wrote Gemini Advisory. 

Based on an analysis by Gemini, “the initial set of bases linked to “BIGADABOOM-III” consisted of nearly 100,000 records,” to which the majority of those records were from US banks and linked to US-based cardholders, whilst some records also linked to cardholders from Europe, Latin America, and several Asian countries. 

It is likely that non-US based cardholders also fell victim to the breach when travelling to the US and “transacting with Wawa gas stations” during the exposure. 

Currently, the Joker’s Stash team is selling the details of US-issued cards at $17 per card, whilst some international cards are being priced as high as $210 per card. 

In a press release issued yesterday, Wawa confirmed that it had notified the firm’s payment card processor, payment card brands and card issuers to heighten fraud monitoring activities. 

“We continue to encourage our customers to remain vigilant in reviewing charges on their payment card statements and to promptly report any unauthorized use to the bank or financial institution that issued their payment card by calling the number on the back of the card,” Wawa added.


Registration now OPEN for PrivSec Global
Taking place across four days from 30 Nov to 3 Dec, PrivSec Global, will be the largest data protection, privacy and security event of 2020.

Reserve your place before 2nd October, and receive VIP access to PrivSec Global which includes priority access to limited space sessions, workshops, networking opportunities and exclusive content.

We have been awarded the number 1 GDPR Blog in 2019 by Feedspot.