Let's face it. As inhabitants of the Northeastern region, we loooove ourselves some Wawa. How did we feel when we found out in mid-December that they had sustained a massive data breach? We'll be the first to admit: our feelings were a little hurt, but did that stop us from getting ourselves a hoagie? Nope.

Since Pennsylvania-based Wawa is so near and dear to all of us, we wanted to take a moment to break down the Wawa Data breach. How did it happen? How were people affected and what's going on with it now? Read on to find out.

The convenience store chain Wawa announced that they had sustained a data breach to its payment card processing system which could potentially have affected customers who used its 850 stores nationwide. It was announced on Monday, January 27, 2020 that the first batch of stolen credit card data was being sold on the dark web – specifically at a popular fraud marketplace known as Joker’s Stash. The stolen data is being called BIGBADABOOM-III and may contain cardholder data from not only the United States, but also from Latin American countries, Europe and numerous Asian countries. The exposed data includes both debit and credit card numbers, cardholder names, and card expiration dates. Wawa has stated that the breach did not expose any PIN information or CVV records.

While many have probably heard of this story in the news, what they might not have heard is what the rest of this article details: how the breach occurred in the first place. Wawa discovered the intrusion on December 10 and had it contained by December 12, however, the alarming fact here is that it is very likely that the malware that caused the breach had likely been installed for months prior to Wawa’s discovery of it. It is speculated that the breach was likely to have occurred on or around March 4, 2019. The card-information stealing malware was installed on both its in-store payment processing systems as well as its fuel dispensers.

Anyone thinking to themselves at this very moment, why or how could Wawa let this happen? One would expect that company with such high visibility and such a loyal customer base would exercise more stringent security precautions due to the nature of the data that they handle; however, it appears that somehow cybercriminals were able to remotely install a malicious point-of-sale malware on Wawa’s payment processing systems. The malware is capable of copying data that is stored within the magnetic stripe of a credit card in order to create counterfeit credit cards with the stolen data.

Your next question might be, did Wawa have any type of red flags/warnings that they ignored? To us, it seems to be an all too classic tale in the aftermath of data breaches – often times, uncovered that the company who suffered the breach has deliberately ignored some type of warning or severely overlooked a critical security component that could have stopped the potential attack or minimized its overall impact. Was this the case with Wawa? The only finger that is being pointed at this moment is that Wawa may have been negligent in its full transition to chip-based card readers, as initially mandated by The Group of Twenty (G20).

In summary, it is clear to us that something was obviously awry with Wawa’s security strategy. It is very alarming that malware that is speculated to have been installed went undetected for close to eight months.

Is this a sign of a very sneaky malware author...or is it a sign of a lack of a defense in depth security strategy on Wawa’s part? It will be interesting to see how this situation plays out in the future and if any additional information will develop on the specific malware.

If you have any questions about a solid defense in depth strategy for your website or your overall business needs, feel free to contact us for a free initial consultation where we will work with you to understand the current state of your company's security strategy as well as assist you in identifying potentially vulnerable areas that you might've overlooked.


The data from this article is a summary of an article originally written by Krebs on Security