Millions of cards exposed in Wawa breach are up for sale online, cybersecurity experts say

Millions of credit and debit cards that may have been stolen in last year’s Wawa data breach are up for sale on one of the most notorious dark web marketplaces, according to cybersecurity experts.

Gemini Advisory, a New York-based fraud intelligence company, said Tuesday that cyber criminals have uploaded payment card data that was compromised in the Wawa data breach. That breach, announced in December, had exposed cardholder names, numbers, and expiration dates used in store and gas pumps at “potentially all” of its stores. The payment card data was found on “Joker’s Stash," one of the largest dark web marketplaces for buying stolen payment card data, the firm said.

Wawa said Tuesday that it was aware of reports that criminals tried to sell information that could have been taken during its data breach, which lasted nine months before being discovered and contained in December. The convenience-store chain said it has alerted its payment card processor, payment card brands, and card issuers to “heighten fraud monitoring activities.”

“We continue to encourage our customers to remain vigilant in reviewing charges on their payment card statements and to promptly report any unauthorized use to the bank or financial institution that issued their payment card by calling the number on the back of the card,” the company said in a statement.

More than 30 million cards may have been compromised in Wawa’s data breach, according to KrebsOnSecurity, a cybersecurity blog. KrebsOnSecurity also reported Tuesday that Joker’s Stash had uploaded the batch of payment card data. Sources that work with financial institutions told the website that the stolen cards were linked to purchases made at Wawa.

Wawa, which serves about 700 million customers annually, said it was unable to say how many cards were exposed in its data breach.

“We are working closely with a leading external forensics firm, our payment processor and law enforcement to determine the scope of the disclosure of Wawa-specific customer card data,” spokesperson Lori Bruce said.

Wawa found malware on its payment processing servers on Dec. 10 and contained it by Dec. 12, the convenience-store chain said last month. The malware had been running on its systems since March 4 and was on most of its store systems by April 22, the company has said.

Debit card pin numbers, credit card security codes, and driver’s license information were not affected by the malware, and the attack posed no risk to ATM machines, according to Wawa.

“We remain confident that the malware we discovered on December 10 was contained by December 12 and since that time has not posed a risk to our customers,” the company said.

Payment card data from the breach first appeared on the dark web Monday, according to Gemini. While most Wawa stores are in New Jersey and Pennsylvania, the highest exposure of cards currently comes from Wawa locations in Florida, according to Gemini’s analysis.

After the breach, several banks proactively reissued thousands of debit and credit cards. Wawa is also facing a wave of class-action lawsuits claiming the company failed to protect consumers from a massive data breach.

Wawa, which is based in Wawa, Delaware County, has more than 850 stores in six states and the District of Columbia, including in Pennsylvania, New Jersey, and Delaware. The company had more than $12 billion in sales in 2018.

Wawa has said it will pay for a year of identity-theft protection and credit monitoring for affected consumers who call 1-844-386-9559 (activation code: 4H2H3T9H6). The company has also told customers to closely review account statements for unauthorized charges. Under federal law, customers who notify their card company of fraudulent charges won’t have to pay those charges.