Hackers have put the payment card details of more than 30m Americans and over one million foreigners up for sale on the Internet's largest carding fraud forum, Joker's Stash.
The latest “card dump” was listed under the name BIGBADABOOM-III on Joker's Stash but security experts at Gemini Advisory have traced the stolen card data back to the US East Coast convenience store chain Wawa.
Back in December, Wawa disclosed a major security breach in which the company admitted that hackers had planted malware on its point-of-sale (POS) systems. According to the company, the malware collected the card details for all of its customers who used either credit or debit cards to buy goods or gasoline at all of its 860 convenience store locations.
- Planet Hollywood owner hit by major data breach
- Over 1,500 Ring passwords have been found on the dark web
- These were the worst malware strains of 2019
To make matters worse, the malware operated for months between March and December of last year before it was finally removed from Wawa's systems.
Card details for sale
As a result of the prolonged infection period and the compromise of hundreds of different locations, the attackers behind the breach were able to collect quite a large cache of payment card details. In a blog post (opens in new tab) on its site, Gemini Advisory provided additional context on the scope of the Wawa data breach, saying:
“Since the breach may have affected over 850 stores and potentially exposed 30 million sets of payment records, it ranks among the largest payment card breaches of 2019, and of all time. It is comparable to Home Depot’s 2014 breach exposing 50 million customers’ data or to Target’s 2013 breach exposing 40 million sets of payment card data. Joker’s Stash has uploaded records from several major breaches in the past.”
Following the release of Gemini Advisory's report, Wawa released its own press release (opens in new tab) in which it said that the company is aware that customer card data is now being offered for sale online. The convenience store chain did not contest the accuracy of the report which effectively confirms that the latest Joker's Stash card dump originated from its systems.
According to Gemini Advisory, the details of US-issued cards from the Wawa data breach are being sold on the site for just $17 per card while those of international cards are priced much higher at $210 per card.
- We've also highlighted the best antivirus software
Via ZDNet (opens in new tab)