A data breach has hit Wawa, an East Coast-based convenience store and gas station, as hackers broke into over 850 Wawa stores and potentially exposed 30 million sets of payment records including those from Asian countries — making it largest payment card breaches of all time. According to cybersecurity firm Gemini Advisory, information from the Wawa hacking emerged on the Dark Web this week at the Joker’s Stash marketplace, one of the largest and most notorious dark web marketplaces for buying stolen payment card data.
Gemini determined that the point of compromise for the breach titled BIGBADABOOM-III is Wawa, the East Coast-based convenience store and gas station.
The company first discovered the breach on December 10, 2019. “Major breaches of this type often have low demand in the dark web. This may be due to the breached merchant’s public statement or to security researchers’ quick identification of the point of compromise,” said Gemini. However, Joker’s Stash uses the media coverage of major breaches such as these to bolster their credibility as the most notorious vendor of compromised payment cards.
The full data collection includes 30 million US records across more than 40 states, as well as over one million non-US records from more than 100 different countries, claimed Gemini. It is similar to Residence Depot’s 2014 breach exposing 50 million prospects’ information or to Goal’s 2013 breach exposing 40 million units of fee card information, the researchers noted.
Wawa said it is responding to reports that hacked information from its customers’ credit cards may be being sold on the dark web. Based on Gemini’s analysis, the initial set of bases linked to “BIGBADABOOM-III” consisted of nearly 100,000 records. While the majority of those records were from US banks and were linked to US-based cardholders, some records also linked to cardholders from Latin America, Europe, and several Asian countries.
“Non-US-based cardholders likely fell victim to this breach when travelling to the United States and transacting with Wawa gas stations during the period of exposure,” said the report. The median price of US-issued records from this breach is currently $17, with some of the international records priced as high as $210 per card.