Wawa Breach May Have Compromised More Than 30 Million Payment Cards (krebsonsecurity.com) 20
An anonymous reader quotes a report from Krebs on Security: In late December 2019, fuel and convenience store chain Wawa said a nine-month-long breach of its payment card processing systems may have led to the theft of card data from customers who visited any of its 850 locations nationwide. Now, fraud experts say the first batch of card data stolen from Wawa customers is being sold at one of the underground's most popular crime shops, which claims to have 30 million records to peddle from a new nationwide breach.
On the evening of Monday, Jan. 27, a popular fraud bazaar known as Joker's Stash began selling card data from "a new huge nationwide breach" that purportedly includes more than 30 million card accounts issued by thousands of financial institutions across 40+ U.S. states. Two sources that work closely with financial institutions nationwide tell KrebsOnSecurity the new batch of cards that went on sale Monday evening -- dubbed "BIGBADABOOM-III" by Joker's Stash -- map squarely back to cardholder purchases at Wawa. A spokesperson for Wawa confirmed that the company today became aware of reports of criminal attempts to sell some customer payment card information potentially involved in the data security incident announced by Wawa on December 19, 2019. "We have alerted our payment card processor, payment card brands, and card issuers to heighten fraud monitoring activities to help further protect any customer information," Wawa said in a statement released to KrebsOnSecurity. "We continue to work closely with federal law enforcement in connection with their ongoing investigation to determine the scope of the disclosure of Wawa-specific customer payment card data."
"We continue to encourage our customers to remain vigilant in reviewing charges on their payment card statements and to promptly report any unauthorized use to the bank or financial institution that issued their payment card by calling the number on the back of the card," the statement continues. "Under federal law and card company rules, customers who notify their payment card issuer in a timely manner of fraudulent charges will not be responsible for those charges. In the unlikely event any individual customer who has promptly notified their card issuer of fraudulent charges related to this incident is not reimbursed, Wawa will work with them to reimburse them for those charges."
On the evening of Monday, Jan. 27, a popular fraud bazaar known as Joker's Stash began selling card data from "a new huge nationwide breach" that purportedly includes more than 30 million card accounts issued by thousands of financial institutions across 40+ U.S. states. Two sources that work closely with financial institutions nationwide tell KrebsOnSecurity the new batch of cards that went on sale Monday evening -- dubbed "BIGBADABOOM-III" by Joker's Stash -- map squarely back to cardholder purchases at Wawa. A spokesperson for Wawa confirmed that the company today became aware of reports of criminal attempts to sell some customer payment card information potentially involved in the data security incident announced by Wawa on December 19, 2019. "We have alerted our payment card processor, payment card brands, and card issuers to heighten fraud monitoring activities to help further protect any customer information," Wawa said in a statement released to KrebsOnSecurity. "We continue to work closely with federal law enforcement in connection with their ongoing investigation to determine the scope of the disclosure of Wawa-specific customer payment card data."
"We continue to encourage our customers to remain vigilant in reviewing charges on their payment card statements and to promptly report any unauthorized use to the bank or financial institution that issued their payment card by calling the number on the back of the card," the statement continues. "Under federal law and card company rules, customers who notify their payment card issuer in a timely manner of fraudulent charges will not be responsible for those charges. In the unlikely event any individual customer who has promptly notified their card issuer of fraudulent charges related to this incident is not reimbursed, Wawa will work with them to reimburse them for those charges."
Unpopular opinion: (Score:2)
Then you go after the hackers.
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Exactly. unless it was something egregious like leaving a mongo DB instance with no password open to the web, I don't see why we would place all the blame on the company and their employees. There's only so much you can do at the end of the day. Also, they are a convenience store, so I would be way more concerned about the company who sold them and configured the payment systems. What systems were they using, and what other stores have similar systems installed.
Re: (Score:2)
Re: (Score:2)
The people responsible for this; life in prison, no parole, death penalty at discresion of the judge.
Then you go after the hackers.
So after the owners are gone, who runs the businesses?
Re: (Score:2)
I worked at a place where the CEO got cancer. For 2 years, they didn't replace him, because it was clearly terminal. So he was CEO and acting CEO until he died. And in that time, the company worked fine.
The CEO for this breach is responsible for "profit above security". Either he explicitly said it, or pushed for it. Security isn't hard. It just takes a deliberate effort to make it a priority.
Re: (Score:2)
Yes Comrade.
Re:Unpopular opinion: (Score:4, Insightful)
Yes Comrade.
Because while personal responsibility is an oft-repeated mantra, and we have millions of people locked in cages for failing to exercise it, even suggesting that a CEO be held accountable is the equivalent of communism.
Steal a $20 shirt, you are tried under criminal law. Knowingly over-bill millions of people, make millions of dollars in profit, and you’re tried under civil law*.
Only one of those carries cage-time as a penalty. I’ll give you three guesses which one and the first two don’t count.
Two-tiered justice systems are more indicative of communism than holding everyone equally accountable.
* Now with binding arbitration clauses, they aren’t tried under any law.
Re: (Score:2)
who is responsible? the boss or the guy who wrote the code that saves/processes card info? or the people who certified that system?
you're not supposed to be saving the info. if you are thats a whole bunch of other certifications and audits. furthermore there's really no need to save the information full like that if you don't intend to leak it or sell it.
Re: (Score:2)
you're not supposed to be saving the info. if you are thats a whole bunch of other certifications and audits. furthermore there's really no need to save the information full like that if you don't intend to leak it or sell it.
Or use it for marketing. Or keep it as an asset in case the business is sold. Or hold on to it until such time as you find a way to abuse it. Or retain it ‘to respond to a subpoena or when, in the companies sole discretion, disclosing it is needed to protect the interest of the
Re: (Score:3)
The people responsible for this; life in prison, no parole, death penalty at discresion of the judge.
This is a problematic position for several reasons.
In short, you can pin it on a fall guy who was simply optimizing for the current capitalistic system but until the general public demands good security
Re: (Score:2)
I think you are on to something here. Security is not cheap. Bottom line is if you want to win at the price game, security is going to be on the cutting floor so to speak.
Re: (Score:3)
How the conversation at Joker's Stash went (Score:3)
Ivan: Okay, which American company we break into next?
Viktor: I know! Pick one with stupidest name! This one here have name like baby talk!
Re: (Score:2)
Ivan: Okay, which American company we break into next?
Viktor: I know! Pick one with stupidest name! This one here have name like baby talk!
That explains "BIGBADABOOM-III"...
Re: (Score:2)
I never heard of it before, I laughed when I read it.
Is it really American? It sounds silly enough to be Aussie.
Re: (Score:2)
And you give me shit for paying cash everywhere (Score:2)
I have to use a damned credit card (NOT a debit card!) for online orders because I don't have a choice for that and there are things I need I can't get locally anyway, but at least a credit card gives me some sort of firewall between it and my checking account.
Compromised upon issue (Score:2)
At this point it's safe to assume that any payment card of any type is compromised from the date of issue and that any charge is potentially fraudulent. Merchants and issuers should simply accept this sad fact and start moving towards processes more resistant to compromise of payment-related information. They do exist, and no chip+PIN or chip+signature aren't among them. All the compromise-resistant methods share one trait: the information needed to initiate a transaction is never in the possession of the m