30 million payment cards listed on fraud marketplace

Credit cards
(Image credit: Pexels)

Hackers have put the payment card details of more than 30m Americans and over one million foreigners up for sale on the Internet's largest carding fraud forum, Joker's Stash.

The latest “card dump” was listed under the name BIGBADABOOM-III on Joker's Stash but security experts at Gemini Advisory have traced the stolen card data back to the US East Coast convenience store chain Wawa.

Back in December, Wawa disclosed a major security breach in which the company admitted that hackers had planted malware on its point-of-sale (POS) systems. According to the company, the malware collected the card details for all of its customers who used either credit or debit cards to buy goods or gasoline at all of its 860 convenience store locations.

To make matters worse, the malware operated for months between March and December of last year before it was finally removed from Wawa's systems.

Card details for sale

As a result of the prolonged infection period and the compromise of hundreds of different locations, the attackers behind the breach were able to collect quite a large cache of payment card details. In a blog post on its site, Gemini Advisory provided additional context on the scope of the Wawa data breach, saying:

“Since the breach may have affected over 850 stores and potentially exposed 30 million sets of payment records, it ranks among the largest payment card breaches of 2019, and of all time. It is comparable to Home Depot’s 2014 breach exposing 50 million customers’ data or to Target’s 2013 breach exposing 40 million sets of payment card data. Joker’s Stash has uploaded records from several major breaches in the past.”

Following the release of Gemini Advisory's report, Wawa released its own press release in which it said that the company is aware that customer card data is now being offered for sale online. The convenience store chain did not contest the accuracy of the report which effectively confirms that the latest Joker's Stash card dump originated from its systems.

According to Gemini Advisory, the details of US-issued cards from the Wawa data breach are being sold on the site for just $17 per card while those of international cards are priced much higher at $210 per card.

Via ZDNet

Anthony Spadafora

After working with the TechRadar Pro team for the last several years, Anthony is now the security and networking editor at Tom’s Guide where he covers everything from data breaches and ransomware gangs to the best way to cover your whole home or business with Wi-Fi. When not writing, you can find him tinkering with PCs and game consoles, managing cables and upgrading his smart home.