The Consequences of the 2019 Wawa Data Breach: Private Data of Millions Is Sold on the Dark Web

Last week, researchers from threat intelligence firm Gemini Advisory noticed that there was a new offer on Joker's Stash, one of the Dark Web's most popular marketplaces for stolen credit card details. It was posted by the site's moderator (going by the rather unimaginative nickname of JokerStash), and it was named BIGBADABOOM-III. Gemini's researchers decided to take a closer look at what the cybercriminals had to offer.

On January 27, JokerStash uploaded the first four databases. The ad states that the entire collection comprises of more than 30 million records, but the last week's batch holds just 100 thousand. The researchers found quite a lot of falsified geolocation data inside the databases, but they also saw plenty of real information, and it didn't take them long to realize where it had come from.

Cybercriminals are trying to monetize December's Wawa data breach

In December, convenience store and gas station chain Wawa announced that its payment system had been infected with Point-of-Sale (PoS) malware. The discovery was made on December 10, and within 48 hours, the malware was removed. Further investigation revealed, however, that the initial compromise happened nine months earlier, on March 4.

At the time, Chris Gheysens, Wawa's CEO, wasn't entirely sure what the scope of the breach was, but he did note that between the initial infection and April 22, the malware managed to compromise the payment systems at "most" of Wawa's locations. Apparently, the attack's intensity decreased after that, but the data breach notice did imply that the malware continued to be active at some stores until it was completely contained on December 12.

The exact name of the malware remains unknown for now, but we do know that it acted pretty much like every other threat of this type. Once a store's payment system is infected, the malware is designed to copy all the data that is stored on the magnetic stripes of credit and debit cards when they are swiped at PoS terminals. This data includes the card's number, the name of the cardholder, and the expiration date. As Chris Gheysens pointed out in the notice, PoS malware can't steal PIN and CVV codes.

If what JokerStash says is true, the attack on Wawa resulted in the compromise of 30 million cards, which would mean that this is one of history's biggest breaches of this kind. Couple that with the fact that according to Gemini, the median price of US-issued cards hovers around $17 a pop while non-US records retail for around $210, and you'll see just how much money the hackers stand to make, at least in theory.

From the crooks' perspective, the whole thing sounds too good to be true

Gemini's experts noted in their report that JokerStash is happy that we know where the data is coming from. Apparently, the marketplace's administrator often tries to boost their credibility by offering credit cards stolen during breaches that have already been made public. This could also be good news for those who got their banking cards compromised, though.

The fact that the breach has already made the news means that people are more likely to have already taken some steps to protect themselves. When Wawa talked about the incident for the first time, for example, it offered free identity theft and credit monitoring services for one year to everyone involved, and we're sure that at least some of the victims have taken advantage of this. The gas station chain also promised to work with people who have seen fraudulent payments on their credit cards because of the breach but have received no refunds.

In other words, victims of the Wawa breach should be better prepared to face the risks, and this means that the data dump JokerStash is trying to push isn't as appealing as it seems at first.