This Store Has Breached 30 Million Payment Cards

Last December, Wawa, the popular east coast-based chain of convenience stores and gas stations revealed a data breach that affected each of its 850 locations and exposed the identities and credit cards of 30 million customers. That data is now for sale on the dark web by hacker group Joker’s Stash.

One of the Largest Payment Card Breaches Undiscovered for 10 Months

The 850 locations of Wawa, which operates convenience and gas stores primarily on the east coast from Pennsylvania to Florida were affected by a sophisticated hack which placed malware in each of their card processing locations. The data breach affected every customer who used a credit or debit card between March and December of 2019. It appears to be one of the largest payment card breaches of all time.

It is unclear why it took Wawa 10 months to identify that they had a problem in their system. Wawa indicates that they will be notifying customers and offering free credit monitoring and identity theft services to affected consumers but in our experience, this is not possible with a data breach of this magnitude. MyProfyle will be interested to see the format of this service but expects that restrictions and other limitations will greatly reduce the number of eligible consumers.

30 Million Consumers’ Credit and Debit Cards for Sale

Last week the payment information for more than 30 million Wawa customers was posted for sale on Joker’s Stash, an online marketplace for hackers with stolen consumer data to sell. In the past they have offered individual credit card details including the security codes and personal information needed to use the cards anywhere for $78 per card. There’s no way to know how many were sold, if the information on consumers is sold more than once or if the criminal buyers get bulk discounts.

What is known, is that anyone buying such information intends to use it to recoup their investment. American consumers are protected form fraud in the form of unauthorized transacitonis on their credit or debit cards but there are restrictions. Transactions typically must be detected by the consumer and the bank in question must be notified within 60 days. So don’t forget to check your statements carefully.

Consumers using debit cards may find that until the charge is reversed the money is taken out of the linked bank account which can lead to them running out of cash or having insufficient funds to make other, legitimate payments. A bounced check can cost a consumer $35 to $50 in penalties and fees as well as create other problems such as cancelled or suspended services until alternative methods of payment are established.

Chilling Hacker Advertisement on Joker’s Stash

What Can You Do?

MyProfyle reminds its users that exposure by hacks and data breaches are only one way our identities and privacy are put at risk by companies with lax security or who fall pretty to innovative hackers. Pervasive tracking, cloud storage and poor security mean that reams of new data about each of us are captured and stored every day. Become a Free Basic MyProfyle member today and learn more about risk factors like these so that you can take the appropriate steps to protect yourself and approve of reject use of your identity.



New York Post

Did You Find This Post Interesting?

Join our email list to get the latest blog posts sent to you