January 29, 2020

Wawa breach update: 30M cards likely compromised

data security

Last month, convenience store chain Wawa announced that more than 850 of its stores had been impacted by malware but did not estimate how many consumers had been affected. According to KrebsonSecurity, experts believe that more than 30 million cards were stolen and are now being sold on an underground site.

Fraud intelligence company Gemini Advisory flagged that some of the cards for sale in the batch could be from other merchants. In addition, the company determined that "apart from banks with a nationwide presence, only financial institutions along the East Coast had significant exposure" as Wawa locations are concentrated in Florida, Pennsylvania, Delaware, Maryland, Virginia, and Washington, D.C.

Wawa, in a letter to customers in December, said malware was discovered on its processing servers Dec. 10 and was contained by Dec. 12; the company believes the malware began running March 4, 2019. Payment card information, including expiration dates and cardholder names, used at in-store payment terminals and fuel dispensers could have been accessed by the malware. PIN numbers, card security codes, and driver's license information were not affected.

The company also partnered with Experian to provide consumers with resources to monitor for suspicious activity, including one year of identity theft and credit monitoring for free.

NAFCU, as a leader in calling for national data security standards, has urged lawmakers to consider a national data security standard for institutions that collect and store consumer information. The association was the first group after the massive 2013 Target data breach to call for a legislative solution to reform the nation's data security system.