A New York City based private security and investigation firm says Wawa customer data is being sold on a popular underground website crime shop.
According to the security specialists firm, card data from ‘a new huge nationwide breach’ that purportedly includes more than 30 million card accounts issued by thousands of financial institutions across 40+ U.S. states. appeared on the fraud related site on the dark web late Monday.
The report cites two sources who work with intimate knowledge of the financial institutions said the information posted maps “squarely back to cardholder purchases at Wawa.”
Wawa as previously reported during the Christmas season when it discovered the data breach (Dec. 10) and contained it by Dec. 12. but malware was thought to have been installed more than nine months earlier, around March of 2019.
The information exposed includes debit and credit card numbers, expiration dates, and cardholder names. Wawa officials said in December.
At the time, Wawa CEO Chris Gheysens said the breach did not expose personal identification numbers (PINs) or CVV codes.
A Wawa spokesperson said the company is aware of reports of criminal attempts to sell customer card information potentially involved in the data breach from last year.
“We have alerted our payment card processor, payment card brands, and card issuers to heighten fraud monitoring activities to help further protect any customer information,” Wawa said in a statement released to KrebsOnSecurity. “We continue to work closely with federal law enforcement in connection with their ongoing investigation to determine the scope of the disclosure of Wawa-specific customer payment card data.”
“We continue to encourage our customers to remain vigilant in reviewing charges on their payment card statements and to promptly report any unauthorized use to the bank or financial institution that issued their payment card by calling the number on the back of the card,” the statement continues. “Under federal law and card company rules, customers who notify their payment card issuer in a timely manner of fraudulent charges will not be responsible for those charges. In the unlikely event any individual customer who has promptly notified their card issuer of fraudulent charges related to this incident is not reimbursed, Wawa will work with them to reimburse them for those charges.
The FBI is now running an investigation into the customer information exposure and at least one class action law suit has been filed to date, according to reporting by CISOMAG
Particulary disturbing from the security report for Wawa customers of Pennsylvania locations is fraud intelligence company, said the biggest concentrations of stolen cards for sale on the dark traces back to Wawa in Florida and Pennsylvania, the two most populous states where the company operates.
Customers who are concerned their debit or credit cards were compromised or who have questions about the breach can call a dedicated toll-free call center: 844-386-9559. Wawa is offering free credit monitoring and identity theft protection to anyone whose information may have been involved.
- Close the accounts that you have confirmed or believe have been tampered with or opened fraudulently. Use the FTC’s ID Theft Affidavit (available at www.ftc.gov/idtheft) when you dispute new unauthorized accounts.
- File a local police report. Obtain a copy of the police report and submit it to your creditors and any others requiring proof of the identity theft crime.
Customers whose information may have been involved should:
- Review your debit and credit card account statements. Unauthorized charges should be reported immediately. Under federal law and card company rules, customers who notify their payment card company in a timely manner upon discovering fraudulent charges will not be responsible for those charges.
- Register for identity protection services. “We have arranged with Experian to provide potentially impacted customers with one year of identity theft protection and credit monitoring at no charge to you,” Gheysens said. Information about these services is available on the Wawa website or by calling the dedicated data breach number: 844-386-9559.
- Order a credit report. “If you enroll in the Experian service (at the phone number above) we are offering, you will have access to activity on your credit report. In addition, if you are a U.S. resident, you are entitled under U.S. law to one free credit report annually from each of the three nationwide consumer reporting agencies,” the letter said. To order your free credit report, visit www.annualcreditreport.com or call toll-free at 877-322-8228.
Wawa customers with questions about the data breach or enrolling in the credit monitoring services can call the data breach response line at 844-386-9559. It is open 9 a.m. to 9 p.m. Eastern Time Monday through Friday and 11 a.m. to 8 p.m. on Saturday and Sunday, excluding holidays (which include Dec. 24, Dec. 25, Dec. 31, Jan. 1, and Jan. 20).
Other steps the company recommends:
Order your free credit report: Visit www.annualcreditreport.com, call toll-free at 877-322-8228, or complete the Annual Credit Report Request Form on the U.S. Federal Trade Commission’s website at www.ftc.gov and mail it to Annual Credit Report Request Service, P.O. Box 105281, Atlanta, GA 30348-5281. Do not contact the three credit bureaus individually; they provide your free report only through the website or toll-free number.
When you receive your credit report, review the entire report carefully. Look for any inaccuracies and/or accounts you don’t recognize, and notify the credit bureaus as soon as possible in the event there are any.
You have rights under the federal Fair Credit Reporting Act. These include, among others, the right to know what is in your file; to dispute incomplete or inaccurate information; and to have consumer reporting agencies correct or delete inaccurate, incomplete or unverifiable information. More information about the FCRA is on the Federal Trade Commission website.
Place a fraud alert on your credit file: To protect yourself from possible identity theft, consider placing a fraud alert on your credit file. A fraud alert helps protect you against the possibility of an identity thief opening new credit accounts in your name. When a merchant checks the credit history of someone applying for credit, the merchant gets a notice that the applicant may be a victim of identity theft. The alert notifies the merchant to take steps to verify the identity of the applicant.
You can report potential identity theft to all three of the major credit bureaus by calling any one of the toll-free fraud numbers below. You will reach an automated telephone system that allows you to flag your file with a fraud alert at all three bureaus:
- Equifax: 800-525-6285, www.equifax.com
- Experian: 888-397-3742, www.experian.com
- TransUnion: 800-680-7289, www.transunion.com
Place a security freeze on Your credit file: You have the right to place a “security freeze” on your credit file. A security freeze generally will prevent creditors from accessing your credit file at the three nationwide credit bureaus without your consent. You can request a security freeze free of charge by contacting the credit bureaus
Placing a security hold on your credit file may delay, interfere with or prevent timely approval of any applications you make for credit, loans employment, housing or other services. For more information regarding credit freezes, contact the credit reporting agencies directly.