More than a month since the discovery of Wawa’s December data breach, cybersecurity experts from Gemini Advisory has revealed that millions of stolen credit records taken during the security incident are currently for sale on the dark web.
In a blog post, the fraud intelligence company explained Jan 28 that millions of payment card records linked to Wawa’s latest data breach have been uploaded to The Joker’s Stash marketplace, “one of the largest and most notorious dark web marketplaces for buying stolen payment card data.”
The records, titled “BIGBADABOOM-III,” is estimated to include over 30 million sets of payment records and may have affected more than 850 Wawa stores, making it one of the biggest credit card breaches of all time.
Operating as a convenience store and gas station chain in over 850 locations, Wawa first disclosed the security incident in December, saying it had discovered malicious software that had been running on its payment system from March to late April.
“Our information security team identified this malware on December 10, 2019, and by December 12, 2019, they had blocked and contained this malware. We also immediately initiated an investigation, notified law enforcement and payment card companies, and engaged a leading external forensics firm to support our response effort,” the company said at the time.
According to Gemini Advisory, while the store chain has most locations in New Jersey and Pennsylvania, the exposed credit details that are currently being sold online were mostly from Wawa locations in Florida. The median of US-issued records was also reported to be currently priced at $17, while some international records are valued at $210 per card.
“The latest advertisement claimed that the cards would go live on January 27, 2020 at 11:00 PM EST. The full collection would include 30 million US records across more than 40 states, as well as over one million non-US records from more than 100 different countries,” Gemini Advisory’s report added.