Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
×
Security The Almighty Buck

Wawa Breach May Have Compromised More Than 30 Million Payment Cards (krebsonsecurity.com) 20

An anonymous reader quotes a report from Krebs on Security: In late December 2019, fuel and convenience store chain Wawa said a nine-month-long breach of its payment card processing systems may have led to the theft of card data from customers who visited any of its 850 locations nationwide. Now, fraud experts say the first batch of card data stolen from Wawa customers is being sold at one of the underground's most popular crime shops, which claims to have 30 million records to peddle from a new nationwide breach.

On the evening of Monday, Jan. 27, a popular fraud bazaar known as Joker's Stash began selling card data from "a new huge nationwide breach" that purportedly includes more than 30 million card accounts issued by thousands of financial institutions across 40+ U.S. states. Two sources that work closely with financial institutions nationwide tell KrebsOnSecurity the new batch of cards that went on sale Monday evening -- dubbed "BIGBADABOOM-III" by Joker's Stash -- map squarely back to cardholder purchases at Wawa. A spokesperson for Wawa confirmed that the company today became aware of reports of criminal attempts to sell some customer payment card information potentially involved in the data security incident announced by Wawa on December 19, 2019.
"We have alerted our payment card processor, payment card brands, and card issuers to heighten fraud monitoring activities to help further protect any customer information," Wawa said in a statement released to KrebsOnSecurity. "We continue to work closely with federal law enforcement in connection with their ongoing investigation to determine the scope of the disclosure of Wawa-specific customer payment card data."

"We continue to encourage our customers to remain vigilant in reviewing charges on their payment card statements and to promptly report any unauthorized use to the bank or financial institution that issued their payment card by calling the number on the back of the card," the statement continues. "Under federal law and card company rules, customers who notify their payment card issuer in a timely manner of fraudulent charges will not be responsible for those charges. In the unlikely event any individual customer who has promptly notified their card issuer of fraudulent charges related to this incident is not reimbursed, Wawa will work with them to reimburse them for those charges."
This discussion has been archived. No new comments can be posted.

Wawa Breach May Have Compromised More Than 30 Million Payment Cards

Comments Filter:
  • The people responsible for this; life in prison, no parole, death penalty at discresion of the judge.

    Then you go after the hackers.
    • by Pascoea ( 968200 )
      Why? So we can put some low-level network tech that didn't check a box on a server config in front of a firing squad? You don't think the manager that didn't understand the security implications, the IT director that denied the funds for proper security, the CIO that had new shiny things to do, the CEO that didn't understand what the CIO was talking about, or the board members that are too busy polishing their yacht are going to end up in jail do you?
      • by jythie ( 914043 )
        Depends on who you consider 'responsible'. Personally I blame the people who stole the data and put it up for sale. No matter how bad your security is, the fault still lies with the person or persons breaking it.
        • Exactly. unless it was something egregious like leaving a mongo DB instance with no password open to the web, I don't see why we would place all the blame on the company and their employees. There's only so much you can do at the end of the day. Also, they are a convenience store, so I would be way more concerned about the company who sold them and configured the payment systems. What systems were they using, and what other stores have similar systems installed.

          • Well when we've seen incidences of CISO's who didn't know boolean logic, or the like it several shakes ones confidence in your statement.
    • The people responsible for this; life in prison, no parole, death penalty at discresion of the judge.

      Then you go after the hackers.

      So after the owners are gone, who runs the businesses?

      • by AK Marc ( 707885 )
        The workers run the business. The CEO extracts value, but doesn't add to it.

        I worked at a place where the CEO got cancer. For 2 years, they didn't replace him, because it was clearly terminal. So he was CEO and acting CEO until he died. And in that time, the company worked fine.

        The CEO for this breach is responsible for "profit above security". Either he explicitly said it, or pushed for it. Security isn't hard. It just takes a deliberate effort to make it a priority.
        • Yes Comrade.

          • by CoolDiscoRex ( 5227177 ) on Tuesday January 28, 2020 @07:24PM (#59666226) Homepage

            Yes Comrade.

            Because while personal responsibility is an oft-repeated mantra, and we have millions of people locked in cages for failing to exercise it, even suggesting that a CEO be held accountable is the equivalent of communism.

            Steal a $20 shirt, you are tried under criminal law. Knowingly over-bill millions of people, make millions of dollars in profit, and you’re tried under civil law*.

            Only one of those carries cage-time as a penalty. I’ll give you three guesses which one and the first two don’t count.

            Two-tiered justice systems are more indicative of communism than holding everyone equally accountable.

            * Now with binding arbitration clauses, they aren’t tried under any law.

        • by gl4ss ( 559668 )

          who is responsible? the boss or the guy who wrote the code that saves/processes card info? or the people who certified that system?

          you're not supposed to be saving the info. if you are thats a whole bunch of other certifications and audits. furthermore there's really no need to save the information full like that if you don't intend to leak it or sell it.

          • you're not supposed to be saving the info. if you are thats a whole bunch of other certifications and audits. furthermore there's really no need to save the information full like that if you don't intend to leak it or sell it.

            Or use it for marketing. Or keep it as an asset in case the business is sold. Or hold on to it until such time as you find a way to abuse it. Or retain it ‘to respond to a subpoena or when, in the companies sole discretion, disclosing it is needed to protect the interest of the

    • The people responsible for this; life in prison, no parole, death penalty at discresion of the judge.

      This is a problematic position for several reasons.

      1. The elected leaders of the population continue to refuse to do anything about mandating security and people keep voting for them.
      2. Good security is expensive, so those who risk the most also succeed the most (since there is no penalty for failure).
      3. People keep shopping at places that fail to use good security.

      In short, you can pin it on a fall guy who was simply optimizing for the current capitalistic system but until the general public demands good security

        1. Good security is expensive....
        2. People keep shopping at places that fail to use good security.

        I think you are on to something here. Security is not cheap. Bottom line is if you want to win at the price game, security is going to be on the cutting floor so to speak.

    • Putting aside the obvious 8th Amendment violation, you don't give the death penalty for something that will, at worst, cost some businesses some money. I had my credit card information stolen and used once. My credit card company let me know within an hour of it happening, they shut the card down, issued a new one, and invalidated any charges they couldn't outright cancel. There was no damage to me other than a bit of panic when it happened and a bit of time out of my day. I suspect the most damage was done
  • by Applehu Akbar ( 2968043 ) on Tuesday January 28, 2020 @06:03PM (#59666006)

    Ivan: Okay, which American company we break into next?

    Viktor: I know! Pick one with stupidest name! This one here have name like baby talk!

  • This [krebsonsecurity.com] is why I've been paying cash for everything I can for years now, this and so much more.
    I have to use a damned credit card (NOT a debit card!) for online orders because I don't have a choice for that and there are things I need I can't get locally anyway, but at least a credit card gives me some sort of firewall between it and my checking account.
  • At this point it's safe to assume that any payment card of any type is compromised from the date of issue and that any charge is potentially fraudulent. Merchants and issuers should simply accept this sad fact and start moving towards processes more resistant to compromise of payment-related information. They do exist, and no chip+PIN or chip+signature aren't among them. All the compromise-resistant methods share one trait: the information needed to initiate a transaction is never in the possession of the m

I do not fear computers. I fear the lack of them. -- Isaac Asimov

Working...