9-Month Compromise of Wawa Results in Data Breach of More Than 30 Million Credit Cards

The breach, discovered in December of last year, is suspected to have led to the theft of and subsequent and sale of one of the largest takes of customer credit card data on the dark web.

It’s every company’s worst nightmare; an attacker didn’t just gain access to the network, and didn’t just steal data – they’re selling it, which confirms the occurrence of the breach and the scope of the data theft. According to KrebsOnSecurity, Wawa customers were sent a notification in December of 2019 that malware was found on both in-store payment processing systems and on fuel dispensers at all of their locations.

Subsequently, the data has shown up at a relatively well-known dark web location, the Joker’s Stash for sale. Currently only a portion of the credit cards have been released (presumably to maintain the value of the cards on the dark web over time), but given the details provided about the nature of the data breach, there’s little reason to suspect that the 30 million+ number is not accurate.

According to experts at threat intelligence firm Gemini Advisory, U.S. credit card details are valued at $17 each, with foreign credit cards valued much higher at $210 each.

The question of how did attackers gain access to Wawa’s network remains a mystery outside of Wawa for now. There are very few details available thus far. There are a limited number of initial attack vectors that come to mind – vulnerability exploits, RDP, phishing, social engineering, or insider activity. And the presence of malware on point-of-sale machines may reflect the use of lateral movement and stolen privileged credentials playing a role in the attack.

For now, organizations need to be vigilant, taking this story as a warning of what can easily happen in any company. Layered security, up-to-date patching, endpoint protection, and Security Awareness Training are all part of a solid security strategy that reduces the risk of successful attack.