9-Month Compromise of Wawa Results in Data Breach of More Than 30 Million Credit Cards

wawaThe breach, discovered in December of last year, is suspected to have led to the theft of and subsequent and sale of one of the largest takes of customer credit card data on the dark web.

It’s every company’s worst nightmare; an attacker didn’t just gain access to the network, and didn’t just steal data – they’re selling it, which confirms the occurrence of the breach and the scope of the data theft. According to KrebsOnSecurity, Wawa customers were sent a notification in December of 2019 that malware was found on both in-store payment processing systems and on fuel dispensers at all of their locations.

Subsequently, the data has shown up at a relatively well-known dark web location, the Joker’s Stash for sale. Currently only a portion of the credit cards have been released (presumably to maintain the value of the cards on the dark web over time), but given the details provided about the nature of the data breach, there’s little reason to suspect that the 30 million+ number is not accurate.

According to experts at threat intelligence firm Gemini Advisory, U.S. credit card details are valued at $17 each, with foreign credit cards valued much higher at $210 each.

The question of how did attackers gain access to Wawa’s network remains a mystery outside of Wawa for now. There are very few details available thus far. There are a limited number of initial attack vectors that come to mind – vulnerability exploits, RDP, phishing, social engineering, or insider activity. And the presence of malware on point-of-sale machines may reflect the use of lateral movement and stolen privileged credentials playing a role in the attack.

For now, organizations need to be vigilant, taking this story as a warning of what can easily happen in any company. Layered security, up-to-date patching, endpoint protection, and Security Awareness Training are all part of a solid security strategy that reduces the risk of successful attack.

Request A Demo: Security Awareness Training

products-KB4SAT6-2-1New-school Security Awareness Training is critical to enabling you and your IT staff to connect with users and help them make the right security decisions all of the time. This isn't a one and done deal, continuous training and simulated phishing are both needed to mobilize users as your last line of defense. Request your one-on-one demo of KnowBe4's security awareness training and simulated phishing platform and see how easy it can be!

Save My Spot!

PS: Don't like to click on redirected buttons? Cut & Paste this link in your browser:


Subscribe To Our Blog

Ransomware Has Gone Nuclear Webinar

Get the latest about social engineering

Subscribe to CyberheistNews