‍

Critical payment and credit card data from the Wawa convenience store breach has reportedly made its way to the dark web. Multiple reports, including Krebs on Security and Gemini Advisory, indicate that card data from more than  30 million Wawa customers was listed for sale Jan. 27 on the cybercriminal dark web forum Joker’s Stash.

Wawa acknowledged the reports, and released a statement saying it has "alerted our payment card processor, payment card brands, and card issuers to heighten fraud monitoring activities to help further protect any customer information." Wawa said it is working with federal law enforcement to determine the scope of the exposed Wawa-specific customer payment card data.

Reports on the dark web forum said that the exposed debit and credit card records come from U.S. customers across 40 states, and could impact more than 1 million global customers. Gemini's report indicated the data records were under the title "Bigbadaboom-III."  The Joker’s Stash marketplace is well known in the fraud space as one one of the largest dark web marketplaces for buying stolen payment card data.

"Major breaches of this type often have low demand in the dark web," Gemini said in its analysis of the exposed records. "This may be due to the breached merchant's public statement or to security researchers' quick identification of the point of compromise."

Even though most Wawa locations are in New Jersey and Pennsylvania, Gemini's analysis discovered the most exposed cards were likely to come from Florida. If the scope of this breach is as large as researchers suspect, this would rank the Wawa breach among the worst payment card breaches in history.

Wawa has said Debit card PINs, credit card security codes and driver’s license information for verifying age-restricted purchases are not believed to be affected. Malware was installed on Wawa’s payment processing servers and was used to exfiltrate customers’ names, credit card numbers, and expiration dates.

Wawa has +850 stores that customers could have shopped at that may be impacted by this large-scale data breach. Debit and credit cards during a 9-month span from March 4-Dec. 12 could be impacted by the breach. The breach was discovered on Dec. 12 and the malware threat was contained two days later on Dec. 14.

For more details on the breach, or to learn what your financial institution can do to protect itself from the fallout of this incident, refer to our Data Breach Alert Report.