3 Crore Credit, Debit Card Details Leaked On The Web: World’s Biggest Online Heist Of Private Information

As per the reports coming in, the hackers have put up for sale the payment card details of more than 30 million Americans and over one million foreigners on Joker’s Stash, the internet’s largest carding fraud forum on Monday.

How Did This Happen?

As per the report, the credit and debit card information from customers of the food and gasoline chain WaWa Inc. is being sold online, according to the fraud intelligence company Gemini Advisory.

Also this new “card dump” was advertised under the name of BIGBADABOOM-III, however, according to experts at threat intelligence firm Gemini Advisory, the card data was traced back to Wawa, a US East Coast convenience store chain.

During December 2019, Wawa disclosed a major security breach during which the company admitted that hackers planted malware on its points of sale systems. 

Wawa has informed that the malware collected card details for all customers who used credit or debit cards to buy goods at their convenience stores and gas stations. 

According to the company, the breach impacted all its 860 convenience retail stores, of which 600 also doubled as gas stations.

The company also informed that the malware operated without being detected for months, between March 4 and December 12, when it was removed from the company’s systems.

What Does The Expert Say?

According to the reports, this prolonged infection period, along with a massive compromise of hundreds of different locations, appears to have allowed the criminal group behind this hack to amass a huge trove of payment card details.

While describing the breadth of the Wawa breach, Gemini Advisory said “Since the breach may have affected over 850 stores and potentially exposed 30 million sets of payment records, it ranks among the largest payment card breaches of 2019, and of all time,”.

They added “It is comparable to Home Depot’s 2014 breach exposing 50 million customers’ data or to Target’s 2013 breach exposing 40 million sets of payment card data,”.

What Are Hackers Doing With This Information?

The Wawa card dump appears to include “30 million US records across more than 40 states, as well as over one million non-US records from more than 100 different countries,” according to Gemini Advisory data analysis.

Wawa informed in a press release published today that they became aware that customer card data was now being offered for sale online.

Not only that, the company also didn’t contest the accuracy of the Gemini Advisory report, effectively confirming that this week’s Joker’s Stash card dump came from its systems.

What Does Wawa Say About This Incident?

Wawa said”We have alerted our payment card processor, payment card brands, and card issuers to heighten fraud monitoring activities to help further protect any customer information,”.

The company also added that it will continue to work with law enforcement to investigate the hack.

The store chain said “that only payment card information was involved, and that no debit card PIN numbers, credit card CVV2 numbers or other personal information were involved.”

Although, as per the sample of the Wawa card dump obtained by ZDNet, the card dump did include CVV2 numbers, despite Wawa’s claims.

The Joker’s Stash team is currently selling the details of US-issued cards with $17/card, on average, while data for international cards is priced at a higher $210/card, according to the Gemini experts.

The Gemini Advisory team also said “The Wawa breach aligns with Joker’s Stash’s tactic of adding records stolen from large merchants in publicly disclosed major breaches only after the breach is announced,”.

“Joker’s Stash uses the media coverage of major breaches such as these to bolster the credibility of their shop and their position as the most notorious vendor of compromised payment cards,” they added.