On December 19, 2019, WaWa announced their payment systems had been breached for approximately nine months. Throughout that time, Wawa’s malware infected payment processing servers swiped credit and debit card numbers, expiration dates, and cardholder names. Chris Gheysens, WaWa’s CEO, stated no other personal information was accessed, such as debit card PINs or credit card CVV2 numbers.
The company reiterated this information after Gemini Advisory, who specializes in cyber threats and monitoring the Deep and Dark Web, reported that Wawa’s stolen data had finally surfaced yesterday, January 28th. It’s an odd move for Wawa, since reality has little in common with their statement. ZDNet published a sample of the card data a few hours after Wawa’s press release, one showing that CVV2 numbers were among the information the hackers obtained.
Joker’s Stash, one of the Dark Web’s most notorious marketplace’s, began uploading records on January 27th to officially kick off their auction. Thus far, only a fraction of the data’s available, and most of it pertains to information drawn from Wawa’s stores in Florida and Pennsylvania.
So far.
When Wawa first announced the data breach, there was a lot of fervent praying. If the company was right, and the theft’s scope was limited, the damage might be comparatively minimal. Those prayers went unanswered. According to Gemini Advisory’s analysis, the Wawa card dump likely includes thirty million records, from more than forty states, and at least one million non-US records from over one hundred different countries.
That puts Wawa’s breach into the big time, folks. Most likely, only Home Depot’s in 2014 (fifty million records) and Target’s in 2013 (forty million) were worse.
Gemini Advisory stated that Joker’s Stash is currently selling US-issued card data for about $17 each, whereas the record for an international card is set around $210. The cyber firm also pointed out that, “Apart from banks with a nationwide presence, only financial institutions along the East Coast have significant exposure. Notably, major breaches of this type often have low demand in the dark web. This may be due to the breached merchant’s public statement or to security researchers’ quick identification of the point of compromise. However, JokerStash uses the media coverage of major breaches such as these to bolster the credibility of their shop and their position as the most notorious vendor of compromised payment cards.”
At least one institution is ahead of the game. The Woodbridge, NJ based Northfield Bank didn’t buy Wawa’s assurances. They closed 2,000 debit card accounts back in late December and early January.
That’s the moral of the story. It’s not worth waiting for something to happen, because this story is far from over. Rest assured, the New Jersey data will show up, and one of the best ways to protect yourself is easy. Get new cards, change your pin numbers, etc. Will that fix everything? Probably not, but it’ll go a long way.
Of course, the other step you can take to protect yourself should be reasonably evident. Don’t believe anything Wawa says. They had a chance to admit the scope of this breach was greater than Gheysens first claimed, but the company chose not to go the complete disclosure route. Nobody can say for certain yet, but it seems unlikely future investigations won’t show Wawa knew, either at the time of their disclosure or soon afterward, that critical information, such as CVV2 numbers, was stolen. Wawa’s narrative already departed from reality, and only time will tell how deep the proverbial rabbit hole goes.