As many as 31 million stolen payment card records from a 2019 breach at convenience store chain Wawa could soon be on sale on a notorious dark web marketplace.
Stas Alforov and Christopher Thomas at threat intelligence firm Gemini Advisory claimed the upload of stolen data at the Joker’s Stash site began on Monday. Dubbed “BIGBADABOOM-III,” the dump has been linked to a breach at East Coast chain Wawa which was discovered in December last year.
Although the incident was revealed on December 10, attackers were apparently inside the network since early March, enabling them to make off with a huge trove of card numbers, expiration dates and cardholder names.
“Since the breach may have affected over 850 stores and potentially exposed 30 million sets of payment records, it ranks among the largest payment card breaches of 2019, and of all time. It is comparable to Home Depot’s 2014 breach exposing 50 million customers’ data or to Target’s 2013 breach exposing 40 million sets of payment card data,” Gemini Advisory wrote.
“Notably, major breaches of this type often have low demand in the dark web. This may be due to the breached merchant’s public statement or to security researchers’ quick identification of the point of compromise. However, Joker’s Stash uses the media coverage of major breaches such as these to bolster the credibility of their shop and their position as the most notorious vendor of compromised payment cards.”
At the time of writing, 100,000 card records had been uploaded to the marketplace, including state geolocation information.
The full breach trove is estimated to feature 30 million US cards and around one million from other countries, which were lifted when cardholders visited Wawa outlets during the breach period.
A press release issued by Wawa on Tuesday did not reference the size of the data loss, but explained that the firm’s payment card processor, as well as affected card brands and issuers, had been notified to heighten fraud monitoring.
The firm also clarified that no user PINs or CV2 numbers were taken, and that the breach didn’t affect ATM transactions.
“We continue to encourage our customers to remain vigilant in reviewing charges on their payment card statements and to promptly report any unauthorized use to the bank or financial institution that issued their payment card by calling the number on the back of the card,” it added.