adimas - Fotolia
Payment card information from the Wawa data breach last month has reportedly been put up for sale on a dark web marketplace, though questions remain about the validity of the information and the scope of the breach.
The convenience store and gas station chain first disclosed on Dec. 19 a data breach that resulted in the theft of customer payment card information. The Wawa data breach stemmed from malware that was installed on the company's payment processing servers, which affected payment card information, including numbers, expiration dates and cardholder names, for cards used at "potentially all Wawa in-store payment terminals and fuel dispensers" after March 4 last year. According to Wawa's breach disclosure, the breach was discovered on Dec. 10 and contained by Dec. 12, though it's unclear how long the malware was on the company's network.
On Jan. 27, a dark web marketplace known as Joker's Stash began selling card data from a nationwide breach of more than 30 million cards that is being advertised as "BIGBADABOOM-III." Allegedly, the data comes from thousands of financial institutions, more than 40 U.S. states and over 100 countries.
However, Gemini Advisory, a cybersecurity company based in New York, published a research report Tuesday that determined the source of BIGBADABOOM-III was the Wawa data breach, and said the 40+ U.S. states number may have been exaggerated.
"We examined the data and determined that the 40-plus states announced on Joker's Stash was not accurate and that the breach only affected six states, each of which were states containing Wawa locations," Christopher Thomas, Gemini's intelligence production analyst and an author of Gemini's report on the breach, told SearchSecurity.
Through their analysis, Gemini concluded that Wawa was the primary victim of the breach, though it is unknown if they were the only victim within the BIGBADABOOM-III collection.
The payment card data released in the first batch of nearly 100,000 payment records includes card numbers, expiration dates and some geolocation data, but no debit card PINs or credit card CVV2s.
When asked about how much damage someone could do without PINs or CVV2s, Thomas said "It's not an ideal amount of information from a cybercriminal's perspective, but it gives you openings. It gives you the ability to try to obtain further data from cardholders."
The same day that Gemini Advisory released their report on Jan. 28, Wawa released an additional statement saying it was "aware of reports of criminal attempts to sell some customer payment card information potentially involved in the previous Data Security Incident announced by Wawa on December 19, 2019."
"We have alerted our payment card processor, payment card brands, and card issuers to heighten fraud monitoring activities to help further protect any customer information," Wawa said. "We continue to work closely with federal law enforcement in connection with their ongoing investigation to determine the scope of the disclosure of Wawa-specific customer payment card data."
It's unclear how many customers were affected in the Wawa data breach. The company hasn't disclosed how many payment card numbers were compromised in the breach, and Gemini Advisory said it's difficult to determine the scope based on the Joker's Stash sale.
"Right now, it's totally unclear if the true number will be 30 million," Thomas said.
SearchSecurity asked Wawa if the 30 million payment cards report was accurate, if any customers have reported fraudulent charges on their cards and what steps it may be taking to prevent future breaches. The company declined to answer the questions and instead responded with a copy of its latest statement on the breach as well as a link to this page detailing the breach.