Cybercriminals have put the credit card data of tens of millions of customers of the convenience store chain Wawa up for sale.
An infamous hacker by the name Joker Stash posted the data for sale on the dark web earlier this week, reported cybersecurity firm Gemini Advisory. Fortune reported that the criminal claimed they had more than 30 million card numbers from over 40 different states resulting from a “nationwide breach.”
Wawa later issued a statement confirming the leak.
“Today, we became aware of reports of criminal attempts to sell some customer payment card information potentially involved in the previous Data Security Incident ... We continue to work closely with federal law enforcement in connection with their ongoing investigation,” the store chain said in its statement.
Wawa had disclosed in December that malware had been discovered on its payment processing servers, potentially affecting 700 of its locations. The company found that the malware exposed customers’ credit and debit card information from March 04, 2019 to December 12, 2019, when the store chain managed to contain the breach.
Andrei Barysevich, a cybersecurity expert with Gemini Advisory, warned that the alleged sale of Wawa data is a typical tactic used by hackers. Hackers will sell the data in small batches to other criminals, who then use the credit card information for fraudulent purchases. Barysevich added that median price for such data is $17 per card, and that the likely buyers will be criminal gangs in the Northeast. This is because overseas banks are likely to identify the North American cards as suspicious, and thus prevent fraudsters from spending using the cards, the expert explained.