Data Security

Stolen card data of millions of Wawa customers sold on dark web

Wawa Inc., a renowned Pennsylvania, US-based fuel and convenience store chain, admitted in December 2019 that its payment card processing systems across all of its locations were infected with malware for nine months in a row leading to the stealing of financial information of roughly 30 million Wawa customers. Now, it is time for the company to face its worse nightmare as the first batch of the stolen data is up for sale on the Dark Web, the hub of illicit activities.

Reportedly, Wawa customers from 850 different locations across the country visiting its website during the last nine months are affected by the data breach. Wawa stated that payment and credit card related information of its customers was posted for sale in January 2020 on Joker’s Stash, which is a Dark Web marketplace used primarily by cybercriminals to sell hacked data or commit fraud.



It is worth noting that the Joker’s Stash marketplace is administrated by JokerStash hacking syndicate also known as Fin7. In 2018, three main hackers of the group were also arrested by the FBI, however, their criminal activities continue to exist, for instance, last year the group was selling the largest database of Indian credit/debit card records.

Screenshot of Wawa listing on Joker’s Stash marketplace (Credit: Gemini Advisory)

According to a blog post by Gemini Advisory, a dark web threat intelligence firm, the data currently on sale at Joker’s Stash marketplace is dubbed “BIGBADABOOM-III,” and was posted online on 27 January, 2020.

On the other hand, on December 19th, 2019, Wawa notified its customers about the data breach an official statement, according to which the company’s fuel dispensers and in-store payment processing systems at all of its locations were infected with card-stealing malware.


The company identified the security breach on December 10th, 2019 and the threat was “mitigated” by Dec 12. Further investigation revealed that the malware was installed over nine months ago, roughly in the first week of March 2019.

Moreover, the company revealed that the stolen data includes credit/debit card numbers, cardholder names, and card expiration dates. However, it is confirmed by Wawa that the three-digit security code called CVV records or the personal identification numbers (PINs), wasn’t part of the stolen data.

In a comment to HackRead, Terbium Labs’ Emily Wilson said that, “This news from Wawa further illustrates just how much time can pass between criminals gaining access to secure systems and when businesses catch up to the problem. In this case, cyber criminals had the better part of the year to siphon off cardholder information from Wawa’s vast network of stores; while I’m sure the fraudsters weren’t happy to be caught, they can boast quite a trove of information from their time undetected.”

“During that ten-month window, cyber criminals could easily have allocated cards out to criminal carding shops and fraud forums, mixing unsuspecting Wawa customer data in with stolen cards from a host of other breaches. Stolen payment cards are in high demand on criminal platforms, and the Wawa breach was no doubt a nice inventory boost for the cybercrime community – especially for any lingering cards that may be up for grabs for fraudsters looking to do some shopping this holiday season,” added Emily.



Wawa’s spokesperson stated that the company is aware of the reports that the stolen data of its customers is up for sale at Joker’s Stash. The cybercrime research firm Gemini Advisory noted that the data is being sold under a threat that claims it to be the biggest data breach in the past five years. But, it is not yet confirmed whether the data on sale at the Dark Web forum is connected to Wawa or not.

Nevertheless, Wawa claims that it has “alerted” its payment card brands, card issuers, and payment card processors to amplify their fraud monitoring measures to protect customer data. Furthermore, the company is working closely with federal law enforcement authorities to determine the extent of data theft. Customers are asked to be careful and monitor transactions carefully to immediately identify any fraudulent charges.

“While credit monitoring is a nice gesture, it’s often too little too late in the fight against cyber criminals. Consumers are better off freezing their credit – blocking fraudsters from opening new cards or accounts in the first place – rather than relying on reactive alerts that a fraudulent account has already been opened,” warned Emily.


According to Mark Bell, EVP Operations at Digital Defense, Inc., “This is why it is so important that merchants and card issuers need to fully adopt EMV chip and contactless technology to prevent card-present fraud on a scale such as this. Although the magnetic stripe likely will not go away for years to come, card readers should not allow the use of the magnetic stripe if a card is EMV chip-enabled.”

“It’s hard to understand how a breach of this magnitude is still occurring in today’s card-present security environment. If the point-of-sale terminals in use were in fact not EMV capable, the liability for the fraud will fall entirely on Wawa,” said Mark.

Click to comment

You must be logged in to post a comment Login

Leave a Reply

To Top

Pin It on Pinterest

Share This