Data on almost 100,000 cards became available on Monday, but Joker’s Stash claimed it had data from 30 million cards of Wawa customers, according to Gemini Advisory.
Credit and debit card information from customers of the food and gasoline chain Wawa Inc. is being sold online, according to the fraud intelligence company Gemini Advisory.
The breach “ranks among the largest payment card breaches of 2019, and of all time” because it potentially affected 850 stores and 30 million payment records, Gemini Advisory said in a report on Tuesday.
The news follows Wawa’s announcement in December that payment processors in its stores had been compromised.
Gemini discovered that data from cards used at Wawa — many of which belong to U.S. financial institutions — is available for sale on Joker’s Stash, a notorious online marketplace where credit and debit card information is bought and sold.
Data on almost 100,000 cards became available on Monday, but Joker’s Stash claimed it had data from 30 million cards of Wawa customers, according to Gemini Advisory. It’s likely that Joker’s Stash will release additional card data in batches over the next 12 to 18 months, Gemini Advisory co-founder Andrei Barysevich said in an email.
In a statement Tuesday, Wawa said it was “aware of reports of criminal attempts to sell come customer payment card information.” The company said it had alerted its payment card processor, payment card brands and card issuers to heighten fraud monitoring to protect customers. Wawa has offered free credit monitoring and identify theft protection to customers.
Malware ran on Wawa payment processors from March until December, when the company discovered and stopped it, Chief Executive Officer Chris Gheysens wrote in a letter at the time. He said “potentially all” Wawa locations were affected — a finding that aligns with Gemini Advisory’s preliminary analysis.
On Tuesday, the company said it was confident the breach was contained on Dec. 12, two days after it was discovered. “We also remain confident that only payment card information was involved, and that no debit card PIN numbers, credit card CVV2 numbers or other personal information were involved.”