In late December 2019, a convenience store chain, Wawa, was hacked by an unknown attacker who stole credit card info from 30m people and is now trying to sell it.
Reports from late December 2019 have brought news of one of the last major hacks in the previous year after a convenience store chain known as Wawa revealed that it was hacked. Wawa also admitted to losing some of its customers’ payment data to the attacker. Now, about a month after the attack, the stolen data finally resurfaced, and researchers reveal that it includes credit and debit card info belonging to around 30 million people.
Wawa breach: A hacker is selling 30 million stolen credit cards on the dark web, cyber experts say. https://t.co/ub1VT1B374
— FORTUNE (@FortuneMagazine) January 28, 2020
Security researchers from Gemini Advisory report that they managed to identify the hacker by his online name of Joker Stash, who posted the spoils of his attack on the dark web on Monday evening. He claims to have over 30 million card numbers belonging to customers from over 40 states. The hacker never specifically mentioned Wawa, but Gemini Advisory feels confident that this is the source of the data.
Wawa, based in Philadelphia, released a statement the following day, acknowledging the data dump. The company, which owns over 850 stores throughout the US, stated that it continues to work closely with the authorities as the investigation continues.
Wawa admitted suffering a breach soon after it happened, in December. Back then, its CEO, Chris Gheysens, said that the store was not aware of the unauthorized use of any of the cards stolen during the incident. He also stated that the affected customers would not be held responsible for unauthorized charges.
The breach was possible due to a malware infection, according to Gemini researcher Andrei Barysevich. Furthermore, he said, the sale of the stolen data fits a well-known pattern that multiple hackers tend to follow. Stolen information is usually sold to other criminals in smaller batches, and the average price is $17 per card.
Barysevich expects that potential buyers might include Northeast-based criminal gangs, as foreign banks would likely flag North American cards as suspicious. Fortunately, Wawa notes that the hacker did not steal security codes belonging to the cards, which will make it difficult for criminals to use the cards. Meanwhile, if the hacker truly does have over 30 million cards, this would be one of the country’s largest breaches since the hacks of Hilton Hotels and Target.
Images are courtesy of Shutterstock, Twitter, Pixabay.