Skip to main content

Wawa data breach: Hacker is selling 30 million credit cards on the dark web

Credit card data from a security breach that affected an East Coast convenience store chain last year was discovered being sold in the corners of the dark web this week. The amount of data stolen makes it the third-largest credit card breach in history.

Wawa convenience stores announced the attempts to sell the data in a news release on January 28. According to the Gemini Advisory Board, a company that identifies cyberthreats, the credit card information was found on the website called Joker’s Stash marketplace and exposed customer data from 30 million cards. 

wallet with cash and cards
Lukas from Pexels

If the Wawa data breach did indeed affect 30 million people, it would make it the third-largest such breach. The 2013 Target breach affected 40 million sets of data, and the 2014 Home Depot breach affected the most customers, with 50 million sets of personal data.

Joker’s Stash titled the breach information as “BIGBADABOOM-III” and it reportedly went live on Monday. Gemini researchers were able to identify the information in the breach to be the same as the Wawa breach. Card information was reportedly being sold for between $17 and $210 per card. The low prices are due to the fact that customers have been aware of a credit card breach for over a month now, and could have already changed their credit card information. 

How to protect yourself from the Wawa data breach

Wawa is still encouraging people who were initially affected by last year’s data breach to stay vigilant in checking their credit card statements for any new fraudulent activity. 

Wawa originally made customers aware of the data breach in early December 2019. It reportedly affected more than 850 stores between March 4, 2019, and December 10, 2019. Wawa said that customers who used credit cards at those stores would have been affected by the breach. 

“We remain confident that the malware we discovered on December 10 was contained by December 12 and since that time has not posed a risk to our customers,” the company said in its news release. “We also remain confident that only payment card information was involved, and that no debit card PIN numbers, credit card CVV2 numbers, or other personal information were involved.  This incident did not impact ATM transactions.”

Wawa is offering affected customers free identity protection and credit-monitoring services for one year. Those eligible must apply for the free services by February 28, 2020. 

Editors' Recommendations