In December 2019, the convenience store chain Wawa disclosed that they had discovered malware on their point of sale system and that tens of millions of customer records were at risk. Those at risk were potentially anyone who had paid for their gas and other sundries with a debit or credit card.
Further, they admitted that the breach impacted all 860 of its locations. Worse, the company discovered that the malware had been in place for at least four months, which makes it a positively massive breach.
A recently published Gemini Security Advisory described it this way:
“Since the breach may have affected over 850 stores and potentially exposed 30 million sets of payment records, it ranks among the largest payment card breaches of 2019, and of all time. It is comparable to Home Depot’s 2014 breach exposing 50 million customers’ data or to Target’s 2013 breach exposing 40 million sets of payment card data.”
It was only a matter of time before a haul that large showed up on the Dark Web, and that has now happened. Recently, security researchers have spotted a file called “BigBadaBoom-III.” The payment card data it contains traces back to Wawa.
At present, the records are being sold for an average of $17 each. Given the size of the breach, that represents a breathtaking payday for the hackers.
If you’ve been to a Wawa convenience store in the last six months, the safe bet is to assume that your payment card has been compromised and proceed accordingly. Doing nothing is a recipe for disaster, especially given that the database containing the card data is already up for sale. It’s only a matter of time until someone gets their hands on your payment data and starts making illicit use of it.