More than 30 MILLION debit and credit card records stolen from hack on convenience store Wawa are being sold on the dark web in what researchers call one of the biggest breaches of all time
- A breach of convenience store Wawa leaked millions of financial records online
- Researchers say a trove of 30 million records has been found on the dark web
- Experts claim the breach is among the biggest ever recorded
- ZDNet reports CVV numbers were included in the data despite Wawa’s claims
Credit and debit card information stolen in a major breach of a US convenience store have now surfaced on the dark web where they’re being sold on a black market.
According to the cyber security firm Gemini Advisory, the stolen data is being sold on a black marketplace called Joker’s Stash and includes more than 30 million debit and credit records hoovered from hundreds of stores in the US.
‘Since the breach may have affected over 850 stores and potentially exposed 30 million sets of payment records, it ranks among the largest payment card breaches of 2019, and of all time,’ write researchers.
Pictured is a screen cap from a site called ‘Joker’s Stash’ where the stolen data is being sold on the dark web
The database encompasses more than 1 million different victims and across 40 US states with most of those implicated coming from Florida, New Jersey, and Pennsylvania.
Original reports at the time the breach was uncovered in December suggested that ‘thousands’ of customers were affected.
While Wawa has claimed that the breach did not compromise customers who only used an ATM and didn’t leak PIN or CVV numbers, ZDNet reports that some CVV numbers have shown up in the cache of stolen information.
The company denied that CVV numbers were ever compromised in a statement to ZDNet, however.
‘… only payment card information was involved, and that no debit card PIN numbers, credit card CVV2 numbers or other personal information were involved,’ the company told ZDNet.
As a result of the apparent attempt to hawk stolen data, Wawa said it will put its payment processors and card companies on notice for any suspicious activity.
‘We have alerted our payment card processor, payment card brands, and card issuers to heighten fraud monitoring activities to help further protect any customer information,’ the company said in a statement this week.
‘We continue to work closely with federal law enforcement in connection with their ongoing investigation to determine the scope of the disclosure of Wawa-specific customer payment card data.’
Wawa is being sued for the breach late last year and has been working with federal law enforcement to uncover the extent of the hack
In December of 2019, the Pennsylvania-based company announced that its information security team discovered malware on its payment processing servers and on December 10 and managed to stop the breach on December 12.
Since then, Wawa has faced multiple lawsuits. As of December, at least six lawsuits seeking class-action status were filed in federal court in Philadelphia.
