One of the largest data leaks ever traced back to Wawa's 2019 malware attack Watch Now

On Monday, hackers put up for sale the payment card details of more than 30 million Americans and over one million foreigners on Joker's Stash, the internet's largest carding fraud forum.

This new "card dump" was advertised under the name of BIGBADABOOM-III; however, according to experts at threat intelligence firm Gemini Advisory, the card data was traced back to Wawa, a US East Coast convenience store chain.

Image: ZDNet

× wawa-ad.png

A month before, in December 2019, Wawa disclosed a major security breach during which the company admitted that hackers planted malware on its point-of-sale systems. Wawa said the malware collected card details for all customers who used credit or debit cards to buy goods at their convenience stores and gas stations. The company said the breach impacted all its 860 convenience retail stores, of which 600 also doubled as gas stations.

According to Wawa, the malware operated for months without being detected, from March 4 until Dec. 12, when it was removed from the company's systems.

One of the biggest card breaches known to date

This prolonged infection period, along with a massive compromise of hundreds of different locations, appears to have allowed the criminal group behind this hack to amass a huge trove of payment card details.

"Since the breach may have affected over 850 stores and potentially exposed 30 million sets of payment records, it ranks among the largest payment card breaches of 2019, and of all time," Gemini Advisory said today when describing the breadth of the Wawa breach.

"It is comparable to Home Depot's 2014 breach exposing 50 million customers' data or to Target's 2013 breach exposing 40 million sets of payment card data," they said.

Card details are for sale for around $17 per card

Gemini Advisory said that after analyzing the data, the Wawa card dump appears to include "30 million US records across more than 40 states, as well as over one million non-US records from more than 100 different countries."

In a press release published today after Gemini Advisory published its report, Wawa said it became aware that customer card data was now being offered for sale online. The company also didn't contest the accuracy of the Gemini Advisory report, effectively confirming that the this week's Joker's Stash card dump came from its systems.

"We have alerted our payment card processor, payment card brands, and card issuers to heighten fraud monitoring activities to help further protect any customer information," Wawa said, also adding that it will continue to work with law enforcement to investigate the hack.

The store chain also said "that only payment card information was involved, and that no debit card PIN numbers, credit card CVV2 numbers or other personal information were involved."

However, according to a sample of the Wawa card dump obtained by ZDNet, the card dump did include CVV2 numbers, despite Wawa's claims.

Image: ZDNet

Gemini experts said the Joker's Stash team is currently selling the details of US-issued cards for $17 per card, on average, while data for international cards is priced at a higher $210 per card.

"The Wawa breach aligns with Joker's Stash's tactic of adding records stolen from large merchants in publicly disclosed major breaches only after the breach is announced," the Gemini Advisory team said.

"Joker's Stash uses the media coverage of major breaches such as these to bolster the credibility of their shop and their position as the most notorious vendor of compromised payment cards."