Payment and credit card information from more than 30 million Wawa customers was posted for sale Monday via the dark web forum Joker’s Stash, a website used by cybercriminals for fraud, according to several reports.
The compromised card data listing was shared under a thread titled “BIGBADABOOM-III,” and it was noted as “the most biggest (sic) breach for the last 5 years” in a screenshot captured by cybercrime research firm Gemini Advisory.
Wawa was not named in the listing, but Gemini Advisory and other publications have linked the sale attempt to the American convenience store and gas station chain’s breach. In a press release from Dec. 19, Wawa announced it had discovered malware that may have affected more than 850 stores and included payment records from March 4 and Dec. 12, 2019.
Wawa issued a statement Tuesday afternoon regarding the reported illegal sale. However, it has not been confirmed whether the Joker’s Stash post is legitimate or connected to the chain.
“We have alerted our payment card processor, payment card brands, and card issuers to heighten fraud monitoring activities to help further protect any customer information,” officials at Wawa wrote. “We continue to work closely with federal law enforcement in connection with their ongoing investigation to determine the scope of the disclosure of Wawa-specific customer payment card data.”
Wawa officials urged affected customers to remain vigilant in their transaction monitoring and report any fraudulent charges to authorities.
After discovering the malware in its system on Dec. 10, the breach was contained by Dec. 12, according to Wawa. The company stressed that payment records have not been at risk since.
“We also remain confident that only payment card information was involved, and that no debit card PIN numbers, credit card CVV2 numbers or other personal information were involved,” the statement continued for clarification. “This incident did not impact ATM transactions.”
Although limited information was obtained through the hack, Andrei Barysevich of Gemini Advisory told Fortune that cybercriminals are still willing to pay for credit and debit card numbers. The median price for this info is $17 per card, according to Barysevich.
The cards could still be used at stores using older swipe technology.
The Federal Trade Commission estimates that as many as nine million Americans get their identities stolen each year. Moreover, a study from The Motley Fool reports that credit card fraud tripled between 2014 and 2018.