Hackers are selling card info stolen in last year's Wawa breach

Christine Fisher
Contributing Writer
SOPA Images via Getty Images

If you purchased anything at the East Coast gas station and convenience store chain Wawa between March and December last year, there's a chance your credit and debit card info is being sold on the dark web. Earlier this week, fraud intelligence company Gemini Advisory discovered stolen payment card data being uploaded to Joker's Stash, an online cybercrime marketplace. It seems the data was obtained during the Wawa breach discovered in December.

As you may remember, last month, Wawa revealed that malware had been swiping customers' payment card info, possibly since March. It's believed that 850 stores may have been hit, exposing 30 million sets of payment records, making it one of the largest payment breaches of all time. Cardholders in the US, several Asian countries, Europe and Latin America may have had their data stolen.

In a statement, Wawa said it is aware of the reported criminal attempt to sell some customers' payment card info and that it is working with federal law enforcement as part of an ongoing investigation. Wawa believes only payment card info was obtained, so debit card PIN numbers, credit card CVV2 numbers and other personal information should be safe.

If you notice any fraudulent activity on your card statements, Wawa says you should report it to your bank or financial institution immediately. Under federal law, fraudulent charges reported in a timely manner should be refunded, and in the meantime, if you want to pay as securely as possible, we've put together some tips. As the FBI has been warning for years, payment card theft will likely become more common.