The payment card details of more than 30 million Americans and over one million foreigners have been put up for sale on Joker’s Stash which is the internet’s largest carding fraud forum.
This new “card dump” was advertised under the name of BIGBADABOOM-III. According to experts at threat intelligence firm Gemini Advisory, the card data was traced back to Wawa, a US East Coast convenience store chain.
Wawa disclosed a major security breach in last December during which the company admitted that hackers inserted malware on its point-of-sale systems. The company stated that the malware collected card details for all customers who used credit or debit cards to buy goods at their convenience stores and gas stations. The breach had affected all its 860 convenience retail stores, of which 600 also doubled as gas stations.
According to Wawa, the malware operated for months without being detected, from March 4 until December 12, when it was removed from the company’s systems.
A very long infection period and a huge compromise of hundreds of different locations, must have let the attackers behind this hack to collect a huge trove of payment card details.
This breach is considered to be one of the largest payment card breaches of 2019, and of all time.
According to the Gemini Advisory, after analyzing the data, the Wawa card dump appears to include “30 million US records across more than 40 states, as well as over one million non-US records from more than 100 different countries.”
Wawa stated in a press release that they are aware of the customer card data being offered for sale online. They confirmed that this week’s Joker’s Stash card dump came from its systems.
The company have alerted their payment card processor, payment card brands, and card issuers to increase fraud monitoring activities to help further protect any customer information. They will continue to work with law enforcement to investigate the hack.
They confirmed that only payment card information was involved, and that no debit card PIN numbers, credit card CVV2 numbers or other personal information were involved.
But as per the sample of the Wawa card dump obtained, it includes CVV2 numbers as well.
The Joker’s Stash team is currently selling the details of US-issued cards for $17 per card, on average, while data for international cards is priced at a higher $210 per card.