Wawa paying $9-million in cash, gift cards in data breach settlement; Nov. deadline to file claim

WPVI reports an update to the 2019 WaWa breach covered on this site in a number of posts: Wawa is paying out up to $9-million in cash and gift cards related to a data breach that exposed customers’ credit and debit card numbers and names. The breach happened between March 4, 2019 and December 12, 2019. If you can show proof that the breach cost you money, you can be reimbursed up to $500. “The Settlement Class consists of all customers who reside in the United States and who used a credit or debit card at a Wawa convenience store or fuel pump at any time during the Period of the Security Incident,” the Wawa Consumer Data Security Read more on WPVI.

Wawa Customers Win Initial Settlement Approval in Data Suit

Maeve Allsup reports: More than 22 million Wawa Inc. customers were granted preliminary class status Friday in a suit stemming from a data breach that led to the sale of their payment information on the dark web. [See previous coverage here,  here, and here] Hackers accessed Wawa’s point-of-sale systems and installed malware targeting in-store payment terminals and gas station fuel dispensers in March 2019. Read more on Bloomberg Law.

Wawa Reaches Proposed $12M Settlement in Data Breach Litigation

Max Mitchell reports: Attorneys representing Wawa customers who potentially had their payment card information exposed to hackers have reached a more than $12 million settlement with the regional convenience store chain, according to court papers in Philadelphia federal court. Read more on Law.com (free sub. required).

Breached Wawa Payment Card Records Reach Dark Web

Both Gemini Advisory and KrebsOnSecurity caught this one quickly.  From Gemini Advisory: Joker’s Stash began uploading records as advertised on January 27. The breach was titled “BIGBADABOOM-III” and appeared in four different bases. The records included the state geolocation information, but not the city or ZIP Code as previously announced. The listed geolocation data for added records ranged across 40 states. However, much of this data appeared to be falsified, and only six states appeared to be genuinely affected. Read more on Gemini Advisory, who have a frequency distribution of payment cards by state.  Read also Brian Krebs’ coverage, which includes discussion of Gemini Advisory’s findings.  

An Open Letter from Wawa CEO Chris Gheysens to Our Customers

December 19, 2019 NOTICE OF DATA BREACH Dear Wawa Customers, At Wawa, the people who come through our doors every day are not just customers, you are our friends and neighbors, and nothing is more important than honoring and protecting your trust.  Today, I am very sorry to share with you that Wawa has experienced a data security incident.  Our information security team discovered malware on Wawa payment processing servers on December 10, 2019, and contained it by December 12, 2019.  This malware affected customer payment card information used at potentially all Wawa locations beginning at different points in time after March 4, 2019 and until it was contained.  At this time, we believe this malware no longer poses a risk to Wawa customers using payment cards at Wawa, and this malware never posed a risk to our ATM cash machines. I want to reassure you that you will not be responsible for any fraudulent charges on your payment cards related to this incident, as described in the detailed information below.  Please review this entire letter carefully to learn about the resources Wawa is providing and the steps you should take now to protect your information. Read the full notice on their website.

UGNAZI Claims to hacked, defaced and be in control of wawa servers

UGNAZI have made claims now that they have hacked a well known gas stores/truck stops WAWA (https://www.wawa.com). Their claims have come from their main twitter account @UG with the following messages. > UGNazi ‏@UG https://Wawa.com —> DeFaceD —> https://i.imgur.com/z1lv8.png —>#Havoc —> #UGNazi****UGNazi ‏@UG How much #havoc would be caused by shutting down all of the Wawa Gas pumps? Love having access to the gas control relay centers :). UGNazi ‏@UG Get ready for the United States to panic about having no working gas pumps at the wawa. So much #havoc. Oh the horror. The Horror! #UGNazi#UGNazi Wawa Hacked!, Gas Terminals Hacked!, https://Wawa.comDefaced, Server hacked, Terminals hacked. #UGNazi#havoc#TheHolocaust So  as you can see from the above, they are fairly confident they have breached the servers, the question is what will the results be from this? is it even possible to access critical information or networks via the web? whats wawa going to have to say about this one. more to come when updates come thru. about wawa from wiki: Wawa Inc. is a chain of convenience store/gas stations located in the Mid-Atlantic region of the United States. It operates in Pennsylvania, New Jersey, Delaware, Maryland, Virginia, and Florida. The company’s corporate headquarters is located in Wawa, Pennsylvania.near Middletown Township in Delaware County.[4] As of 2002 and as of 2008, Wawa is the largest convenience store chain in Greater Philadelphia, and it is also the third largest retailer of food in Greater Philadelphia, after ACME Markets andShopRite.

CEFCO Allegedly Victim of Data Theft

Jackson Lewis reports: Hackers have posted 42 gigabytes of data allegedly stolen from CEFCO Convenience Stores on a website known as Marketo. The website indicates the stolen data includes “agreements, financial data, account lists, budget reports, NDAs and other interesting documents,” according to the post attached to the file online. Read more on CSP.

In 2020, COVID-19 also impacted the carding market

It’s always nice when trends make sense. And it’s even nicer when professionals watch and analyze those trends for us. In a report released this morning, Gemini Advisory looked at the carding market in 2020 and how the pandemic does correlate with a significantly decreased demand for Card Present (CP) data on the dark web markets.  The breaches associated with greatest CP card sales were the Wawa, Islands Fine Burgers & Drinks, Champagne French Bakery Cafe,  and Dickey’s Barbecue Pit. Somewhat surprisingly, perhaps, the increased demand for Card Not Present (CNP) is not quite as increased  as we might have expected, and Gemini analysts provide an interesting discussion of the supply and demand issues. In 2020, Gemini found that the the largest groups of CNP cards came from the Volusion and Claire’s Boutique breaches. A second key finding in their report was that Magecart attacks, already popular prior to the pandemic, became even more attractive to those attacking e-commerce sites. And also not surprisingly, we saw the flexibility of criminals as the pandemic resulted in a shift to fraudulent sites offering medical supplies and PPE.  As the pandemic and quarantines continued and other items became needed or more attractive, there were corresponding increases in those types of fraud sites. Read their full report for more findings and explanations.    

Ongoing Data Breach Dispute Underscores Emerging Legal Issues in Data Privacy Litigation

Aaron C. Garavaglia of Squire Patton Boggs writes: From consumers and merchants to financial institutions and investors, fraud is a global problem that damages healthy economic growth.  Two sobering statistics illustrate that as the world has become more connected, fraud has only proliferated.  In 2001, the FTC received 137,306 reports of fraud.  In 2019, that number increased to 1,697,934 – an increase of over 1,000%.  As fraud has increased, so too are disputes about who bears the cost.  A recent case in the U.S. District Court for the Eastern District of Pennsylvania highlights the strains in the system, as credit card issuers try to hold a retailer liable for negligence in its handling of payment card data. Read more about the Wawa breach litigation and its significance on National Law Review.

Crypto Exchange Kraken Denies Rumor of Office Closure, Security Breach

Wolfie Zhao reports: U.S.-based cryptocurrency exchange Kraken has denied a rumor that has emerged on social media claiming the firm is shutting down operations at one of its service centers amid a security issue. Reddit user “throwaway34034324” posted a thread on Thursday claiming that the exchange is closing operations in Halifax, Canada, and has “just laid off hundreds of people in response to a security [breach].” Another user, “MysteriousPlankton,” who is apparently one of the Halifax employees, commented on the thread that they were asked to accept voluntarily resignation with eight weeks’ pay as a “severance package” or risk being laid off. Read more on Coindesk.