Skip to main content

Wawa Breach, SEC publication & Plant closes following breach

Wawa Breach, SEC publication & Plant closes following breach

It is Wednesday January 29th, 2020 and here are today’s most pressing cyber stories we need to know about.


Wawa card breach may rank as one of the biggest of all times

On Monday, criminal hackers put up for sale the payment card details of more than 30 million Americans and over one million foreigners on Joker's Stash, the internet's largest carding fraud forum.

This new "card dump" was advertised under a name of BIGBADABOOM-III, however, according to experts at threat intelligence firm Gemini Advisory, the card data was traced back to Wawa, a US East Coast convenience store chain.

A month before, in December 2019, Wawa disclosed a major security breach during which the company admitted that hackers planted malware on its points of sale systems. Wawa said the malware collected card details for all customers who used credit or debit cards to buy goods at their convenience stores and gas stations. The company said the breach impacted all its 860 convenience retail stores, of which 600 also doubled as gas stations.


According to Wawa, the malware operated without being detected for months, between March 4 and December 12, when it was removed from the company's systems.

This prolonged infection period, along with a massive compromise of hundreds of different locations, appears to have allowed the criminal group behind this hack to amass a huge trove of payment card details.

"Since the breach may have affected over 850 stores and potentially exposed 30 million sets of payment records, it ranks among the largest payment card breaches of 2019, and of all time," Gemini Advisory said today when describing the breadth of the Wawa breach.

"It is comparable to Home Depot's 2014 breach exposing 50 million customers' data or to Target's 2013 breach exposing 40 million sets of payment card data," they said.

Gemini Advisory says that after analyzing the data, the Wawa card dump appears to include "30 million US records across more than 40 states, as well as over one million non-US records from more than 100 different countries."

In a press release published today after Gemini Advisory published its report, Wawa said it became aware that customer card data was now being offered for sale online. The company also didn't contest the accuracy of the Gemini Advisory report, effectively confirming that the this week's Joker's Stash card dump came from its systems.


"We have alerted our payment card processor, payment card brands, and card issuers to heighten fraud monitoring activities to help further protect any customer information," Wawa said, also adding that it will continue to work with law enforcement to investigate the hack.

The store chain also said "that only payment card information was involved, and that no debit card PIN numbers, credit card CVV2 numbers or other personal information were involved."

However, according to a sample of the Wawa card dump obtained, the card dump did include CVV2 numbers, despite Wawa's claims.