Watch CBS News

Wawa customer data exposed during hack now sold on dark web

Customer data exposed during a malware attack against convenience store chain Wawa have appeared on Joker's Stash, a marketplace on the so-called dark web for stolen credit card information.

Hackers who run Joker's Stash began advertising the data's availability on Monday, cybersecurity firm Gemini Advisory said. The ad said Joker's Stash would offer 30 million debit and credit card records from U.S. customers across 40 states and more than 1 million global customers. The records surfaced Monday under the title "Bigbadaboom-III," the firm said. 

"Major breaches of this type often have low demand in the dark web," Gemini said in its analysis of the exposed records. "This may be due to the breached merchant's public statement or to security researchers' quick identification of the point of compromise."

Gemini found that the most exposed cards came from Florida even though most Wawa locations are in New Jersey and Pennsylvania. Researchers with the firm said the Wawa incident ranks among the largest payment card breaches of all time.

The cyberattack, which affected all of Wawa's 850 stores around the U.S., didn't affect anyone who used an ATM, nor did it expose customers' PIN numbers, CVV numbers on credit cards, or driver's license information used for age verification during purchases, Wawa has said. 

However, ZDNet.com reported that CVV numbers are available on Joker's Stash. Wawa stood by its claim Wednesday that CVV numbers were not exposed.   

Shedding light on the dark web 06:33

Wawa said in a statement that the company's card payment processor will be on heightened alert for fraudulent activity. The company, which acknowledged the data's appearance on Joker's Stash, also encouraged affected customers to review their financial charges and report unauthorized transactions to their bank immediately. 

Banks should restore the funds from a fraudulent charge, Wawa said, but if not the company will reimburse customers.

"Under federal law and card company rules, customers who notify their payment card issuer in a timely manner of fraudulent charges will not be responsible for those charges," Wawa said.

Wawa CEO Chris Gheysens announced on the company's website in December that malware had been found on company computer servers used for processing customer payments. Wawa said it found the malware on December 10 and had it under control two days later. Still, customers who used their debit or credit card at Wawa between March 4, 2019, and December 10 may have had their card data exposed. 

Wawa has since begun offering affected customers one year of free credit monitoring from Experian. Customers can enroll online or call (844) 386-9559.

Customers have filed a federal lawsuit against Wawa, claiming the company was negligent and should have taken more aggressive steps to protect card information.  

View CBS News In
CBS News App Open
Chrome Safari Continue
Be the first to know
Get browser notifications for breaking news, live events, and exclusive reporting.