Skip to main content

30 million payment cards exposed online in Wawa breach

(Image credit: Image Credit: A. and I. Kruk / Shutterstock)

Payment data of more than 30 million Americans and more than a million others, which was stolen from Wawa late last year, has found its ways to Joker's Stash, an internet forum for credit card fraud and theft. The database, or as the hackers call it “card dump” is being advertised as BIGBADABOOM-III, where payment information is being sold for $17 a card.

International cards are more expensive, going for $210 a card.

"The Wawa breach aligns with Joker's Stash's tactic of adding records stolen from large merchants in publicly disclosed major breaches only after the breach is announced," experts at threat intelligence firm Gemini Advisory said. “Joker's Stash uses the media coverage of major breaches such as these to bolster the credibility of their shop and their position as the most notorious vendor of compromised payment cards."

Even though Wawa said the dump doesn’t contain CVV2 numbers, ZDNet’s investigation seems to suggest otherwise.

"We have alerted our payment card processor, payment card brands, and card issuers to heighten fraud monitoring activities to help further protect any customer information," Wawa said after learning of the sale. The company also said it would continue working with law enforcement as it investigates the hack.

The Wawa breach is considered to be one of the most devastating attacks of recent times. It lasted for months, from March to December 2019. Point of sale systems in more than 800 locations were compromised and data transferred to the hackers’ CnC servers.

The malware was finally detected and removed on December 12.