Customer credit card details stolen during a data breach of convenience and fuel retail store chain Wawa have been found for sale on the dark web, the company said in a statement. Wawa reported the original data breach to consumers approximately three weeks ago.
“Today, we became aware of reports of criminal attempts to sell some customer payment card information potentially involved in the previous Data Security Incident announced by Wawa on December 19, 2019,” the statement said.
In its original December statement to customers, the company said the breach was discovered on December 10th, contained on December 12th, and no longer poses an ongoing threat. In addition, the company said “no PIN numbers, CVV2 numbers, or personal information were involved.”
However, the fate of the data stolen prior to the discovery had remained unknown. Now that the information has appeared on the dark web, the company says it has alerted relevant suppliers and requested help in monitoring the situation.
“We have alerted our payment card processor, payment card brands, and card issuers to heighten fraud monitoring activities to help further protect any customer information,” the statement said.
Finally, the company has offered to make whole any affected customer who does not receive compensation from their credit card company for fraudulent charges stemming from the breach.
“In the unlikely event any individual customer who has promptly notified their card issuer of fraudulent charges related to this incident is not reimbursed, Wawa will work with them to reimburse them for those charges,” the company said.
The Wawa breach is one of many high profile incidents to hit major brands in recent years, including a Capital One breach that affected 100 million customers. Hackers often then create ‘fraud guides’ out of the data before selling it to eCommerce fraudsters.
A 2019 report by Terbium Labs detailed how these dark web eCommerce fraud guides “cover methods and materials that vendors believe they can market to the fraud community as a whole based on the demand for certain data types or access points.”