The Wawa data breach is compared to the Home Depot and Target breaches due to its expansive victim pool. Some have called it the largest of all time, affecting more than 30 million customers.
Wawa is a chain of East Coast gas stations and convenience stores that experienced a major data breach sometime before January 2020. As the story unfolds, the store was under siege for nine long months, where thieves collected more than 30 million credit cards through malware installed on their payment processing systems.
The convenience store chain has 860 locations throughout the country, and anyone who visited one during 2019 was at risk of exposure in this data breach.
After running unchecked for months, Wawa discovered the data breach and removed the malware on December 10th. Wawa was one of the most prolonged and massive data breaches
of all time, earning cybercriminals 30 million payment card details.
As of January 2020, the massive list of credentials was offered for sale on Joker’s Stash, a dark web marketplace where thieves sell their wares. Criminals nicknamed the stash “BIG BADABOOM-III,” and are selling each card’s details for $17-$220. The data breach affects thousands of different banks and financial institutions all across the country, and the card data found on the dark web can be directly traced back to transactions at Wawa stores.
How Did The Wawa Data Breach Happen
The malware infected point-of-sale systems and payment processing systems during most of 2019. Wawa did not discover the issue until December 10, 2019. Two days later, they contacted customers issuing a statement about the malware discovery and warning customers that all locations had been compromised.
In the breach, hackers made off with names, debit and credit card numbers
, and expiration dates. Wawa assured customers that no PINs (personal identification numbers), CVV (three-digit security code on the back of credit cards), or driver’s license numbers were stolen. However, according to ZDNet, who acquired a copy of the card data dump from the dark web, found CVV2 numbers included in the data. Wawa also claimed that their ATM machines were not affected by the data breach.
By December 12, 2020, Wawa took quick action to alert their payment processing vendor along with banks and card brands. They released this statement to a security research firm KrebsOnSecurity, “We continue to work closely with federal law enforcement
in connection with their ongoing investigation to determine the scope of the disclosure of Wawa-specific customer payment card data.”
How To Find Out Your Data Breach
If you used any Wawa gas station or convenience store during 2019, you were most likely included in the breach. You should have received notice from the store that your information was compromised along with steps to take to protect yourself. The largest number of stolen cards came from locations in Pennsylvania and Florida but also other states like Maryland, New Jersey, Virginia, Delaware, and the District of Columbia.
You can contact Wawa directly if you have questions about the data breach and believe you were affected.
What To Do After Data Breach
Cancel any credit or debit cards you used in those locations immediately and have your bank replace them. If you have an online account associated with them, change your username and password, just to be safe. It’s also a good idea to watch your credit card statements
and even bank statements (if you used a debit card) for any unusual or suspicious charges. If you see any, contact your bank’s fraud department immediately to report it. Order a copy of your credit card as soon as possible to check for any unusual activity, accounts you don’t recognize, or other inconsistencies.
Are There Any Lawsuits Because Of The Data Breach?
As the investigation continues, rumors have it that Wawa could face government fines for not protecting their customer data adequately. There is also one class-action lawsuit filed against Wawa for this data breach. The lawsuit was filed in the U.S. District Court for the Eastern District of Pennsylvania and signed by a considerable number of victims affected by this data breach.
Can My Wawa Information Be Used For Identity Theft?
Absolutely. All a criminal needs is a bare thread of information that they can then combine with other data found on the dark web and in public records to put together an entire profile for you, which they can use for identity theft. Any payment card information
stolen can also be used for fraudulent charges, so keep an eye out for those as well. You may also receive phishing emails (even those that look legitimate from Wawa or other sources) regarding the incident but remain cautious.
How To Prevent A Data Breach?
The Wawa data breach was in massive proportion to other notorious breaches and exposed data for a whopping 30 million people. That information is now being sold on the dark web to use for nefarious purposes. Some ways you can protect yourself are:
- Cancel any credit/debit cards used at those stores. Have your bank replace them.
- Change all online banking passwords.
- Contact the three major credit bureaus and inform them of the data breach. Sign up for a credit freeze or credit lock to protect against anyone opening up new accounts or charging on your existing accounts.
- Use one single credit card for online and in-store purchases to minimize your risk.
- Never give out personal information (driver’s license number, date of birth, social security number, payment info, etc.) to anyone unsolicited.
- Review your credit reports quarterly. Look for any unusual activity or accounts you don’t recognize.
- Keep an eye out for phishing emails or fraudulent phone scams.
- Never, ever click a link inside an email, even if it looks legitimate.
- Install and run antivirus software frequently on all your devices.
- Never reuse usernames or passwords on multiple websites.
- Change your passwords often and use really long, complex combinations of letters, symbols, and numbers.