WAWA data breach - 30 million cards (both debit and credit) for sale on Joker's stash

[WkdPaul]

The breach affected all 850 East coast stores, a malware was installed on all payment methods in the stores and had been there for 9 months!

 

But when first announced in December, they weren't sure how many cards information were stolen. This was all cleared out when the cards appeared on Joker's stash. It's advertised to contain 30 million credit cards and debit cards number.

 

Wawa is offering free credit card monitoring and identity theft prevention services to anyone affected.

 

Quote

Customer data exposed during a malware attack against convenience store chain Wawa have appeared on Joker's Stash, a marketplace on the so-called dark web for stolen credit card information.

 

Hackers who run Joker's Stash began advertising the data's availability on Monday, cybersecurity firm Gemini Advisory said. The ad said Joker's Stash would offer 30 million debit and credit card records from U.S. customers across 40 states and more than 1 million global customers. The records surfaced Monday under the title "Bigbadaboom-III," the firm said. 

 

[...]

 

The cyberattack, which affected all of Wawa's 850 stores around the U.S., didn't affect anyone who used an ATM, nor did it expose customers' PIN numbers, CVV numbers on credit cards, or driver's license information used for age verification during purchases, Wawa has said. 

 

 

IMO, something like Privacy.com (but implemented on a physical card) seems like it's a good business venture ! With all these data breach, stolen cards and DB with personal information leaks ...

 

 

Sources;

https://www.digitaltrends.com/news/convenience-store-data-breach-info-found-being-sold-on-dark-web/

https://www.cbsnews.com/news/wawa-data-breach-personal-information-available-dark-web/

https://www.usatoday.com/story/tech/2019/12/27/wawa-data-breach-convenience-store-chain-hit-customer-lawsuits/2759892001/

[ARikozuM]

We have to start taxing these guys for better digital security measures. It's becoming ridiculous how often a new breach is announced and consumer data taken. 

 

Edit: Hopefully this doesn't affect GasBuddy cards with driver PINs. 

[steelo]

31 minutes ago, ARikozuM said:

We have to start taxing these guys for better digital security measures. It's becoming ridiculous how often a new breach is announced and consumer data taken. 

 

Edit: Hopefully this doesn't affect GasBuddy cards with driver PINs. 

Exactly. It's astonishing how many times multi billion dollar national chains like Target are hacked. When this happens, the feds need to get involved and investigate whether they implemented proper security measures. If it is found protection was lax, fine the hell out of the business.

[vanished]

I've never heard of this place but this is as good a time as ever to talk about security.  As you mentioned, Privacy.com is a great concept, but for some reason is offered only within the US, so it effectively doesn't exist for all intents and purposes.  It's also absolutely ludicrous that it's even necessary.  Why do the large credit card companies like Visa, MasterCard, etc. not simply offer the same service?  They are enormous companies making huge amounts of profit, they could easily develop and offer a built-in feature like Privacy.com to all customers.

 

Another important aspect to consider is that POS chains/system like this need to be better secured.  Companies put tons of effort into their back-end server security (or at least, some of them do), but all too often forget the units that are on the front lines.  These are the ones directly exposed to low paid workers who come and go at a relatively high rate.  These are the ones exposed directly to customers (or attackers) when no one is looking.  These are the ones, crucially, that are often running common operating systems like Windows, and horribly out of date versions at that.  They're literally the perfect target and it's surprising that issues like this aren't more common as a result.

[jagdtigger]

1 hour ago, ARikozuM said:

We have to start taxing these guys for better digital security measures. It's becoming ridiculous how often a new breach is announced and consumer data taken. 

 

Edit: Hopefully this doesn't affect GasBuddy cards with driver PINs. 

Not just taxing but making them fully and limitlessly liable for any damages caused by their incompetence.

[WkdPaul]

9 minutes ago, Ryan_Vickers said:

Another important aspect to consider is that POS chains/system like this need to be better secured.  

yup, sadly enough, one of our client (a big company in Eastern Canada) is still using Windows XP and server 2003 in their stores (on the cash registers and on the on-site servers handling all the transactions).

 

Since we were hired for monitoring and "catch and dispatch", we have no input on that

[vanished]

Just now, wkdpaul said:

yup, sadly enough, one of our client (a big company in Eastern Canada) is still using Windows XP and server 2003 in their stores (on the cash registers and on the on-site servers handling all the transactions).

 

Since we were hired for monitoring and "catch and dispatch", we have no input on that

Just send them an urgent critical alert every morning saying you've detected a serious security issue (Windows XP)

[jagdtigger]

12 minutes ago, wkdpaul said:

yup, sadly enough, one of our client (a big company in Eastern Canada) is still using Windows XP and server 2003 in their stores (on the cash registers and on the on-site servers handling all the transactions).

 

Since we were hired for monitoring and "catch and dispatch", we have no input on that

It kinda depends on the setup if its a security risk or not. Like when they are on a isolated LAN and have very stringent rules in place for what these can access and what can access those. I even seen a solution where the outdated OS and SW was isolated into VMs and the only way to access them was to connect to a VPN and use RDP(VMs were on a isolated network along with a router, the only way in was the VPN and it only allowed RDP connections, nothing else).

[GDRRiley]

it maybe time to move POS onto a different architecture like  RISKV, or powerPC, something non mainstream.

[corsairian]

8 hours ago, wkdpaul said:

yup, sadly enough, one of our client (a big company in Eastern Canada) is still using Windows XP and server 2003 in their stores (on the cash registers and on the on-site servers handling all the transactions).

 

Since we were hired for monitoring and "catch and dispatch", we have no input on that

I remember a story of Nuclear Submarines still using computer hardware from the 80s and 90s.

 

But this is bad. And these breaches are only going to get worse. I mean Equifax wasnt that long ago.. and still nothing has really changed. 

[Sir Asvald]

These problems are an occurrence. The problem with companies, especially the higher ups have no idea about technology. Trying to convince them that you need a budget of £250K+ for security upgrades and security upgrades. Then you get nothing.