Wawa Breach Card Data For Sale on 'Dark Web'

Incident could be among largest payment card breaches of all time
Photograph: Shutterstock

WAWA, Pa. — The illegal online marketplace known as Joker’s Stash recently began selling credit and debit card data stolen during convenience-store chain Wawa’s nine-month data breach, according to Gemini Advisory, a New York-based fraud intelligence firm.

Wawa reported that it discovered the breach Dec. 10, 2019, and contained the cybersecurity issue by Dec. 12. The c-store chain is confident that no debit card personal identification numbers, credit card CVV2 numbers (the three-digit code on the back of payment cards) or other forms of personal information were involved. The chain has not found any evidence that its ATMs were compromised as part of the breach.

Wawa is facing several lawsuits over the breach, reported The Philadelphia Inquirer.

Gemini Advisory deduced that the new sale on Joker’s Stash derived from the credit card data breach, which Wawa announced Dec. 19.

Gemini reported that the breach affected more than 850 stores and more than 30 million payment records. The firm also said it suspects this incident to be one of the largest payment card breaches of 2019 and of all time.

Wawa released a statement explaining its continued work with card companies and federal law enforcement shortly after Joker Stash went live with the purloined data. Click here for Wawa’s full statement and updates.

Gemini suspects that demand for the ill-gotten data on the "dark web" is low because Joker Stash has put up only about 100,000 records under the title BIGBADABOOM-III. According to Gemini, the low demand could be due to Wawa’s public statements after the breach or the speed with which security researchers identified the source of the breach.

For context on the scope of the attack, online web security news source Krebs on Security reported that the 2013 megabreach of Target Corp. saw 40 million sets of card data stolen; however, only 1 million to 3 million of those data sets were ultimately sold on the dark web.

C-store retailers can take steps to help prevent similar incidents in the future, such as end-to-end encryption of card data and making the switch from magstripe readers to EMV-capable fuel dispensers, according to industry experts.

Wawa, based in Wawa, Pa., has approximately 850 c-stores in Pennsylvania, New Jersey, Delaware, Maryland, Virginia and Florida. The chain is No. 9 on CSP’s 2019 Top 202 ranking of c-store chains by number of company-owned retail outlets.

Members help make our journalism possible. Become a CSP member today and unlock exclusive benefits, including unlimited access to all of our content. Sign up here.

Related Content


More from our partners