On December 10, 2019, convenience and fuel store chain, Wawa, discovered malware on potentially all of its 850 locations’ in-store payment processing systems and fuel dispensers. The first batch of stolen card data is being sold at Joker's Stash, claiming to hold over 30 million records in total from this breach. Exposed information includes debit and credit card numbers, expiration dates, and card holder names. Shortly after, Wawa notified customers that the issue was contained and noted that CVV and PIN numbers were not exposed.
Gemini Advisory, a fraud intelligence company, now says customer data exposed during this cyber-attack has appeared on the dark web, in a popular fraud bazaar called Joker’s Stash. Reportedly, card data – in a first batch dubbed “BIGBADABOOM-III” – was available for sale on January 27, 2020 with nearly 100,000 records largely from US-based card holders. Joker's Stash purports that the new breach includes over 30 million card accounts issued by thousands of financial institutions across more than 40 states.
Although millions of cards are being sold, similar incidents in the past, including the 2013 Target megabreach, show that more than likely, fraudsters will purchase and use only a small percentage of these cards.
A number of recent high-profile nationwide card breaches at main street merchants have been linked to large numbers of cards for sale at Joker’s Stash, including breaches at supermarket chain Hy-Vee, restaurant chains Sonic, Buca di Beppo, Krystal, Moe’s, McAlister’s Deli, and Schlotzsky’s, retailers like Bebe Stores, and hospitality brands such as Hilton Hotels. Most card breaches at restaurants and other brick-and-mortar stores occur when cybercriminals manage to remotely install malicious software on the retailer’s card-processing systems. This type of point-of-sale malware is capable of copying data stored on a credit or debit card’s magnetic stripe when those cards are swiped at compromised payment terminals, and that data can then be used to create counterfeit copies of the cards.