(Bloomberg) -- Credit and debit card information from customers of the food and gasoline chain WaWa Inc. is being sold online, according to the fraud intelligence company Gemini Advisory.
The breach “ranks among the largest payment card breaches of 2019, and of all time” because it potentially affected 850 stores and 30 million payment records, Gemini Advisory said in a report on Tuesday.
The news follows WaWa’s announcement in December that payment processors in its stores had been compromised.
Gemini discovered that data from cards used at WaWa -- many of which belong to U.S. financial institutions -- is available for sale on Joker’s Stash, a notorious online marketplace where credit and debit card information is bought and sold.
Data on almost 100,000 cards became available on Monday, but Joker’s Stash claimed it had data from 30 million cards of WaWa customers, according to Gemini Advisory. It’s likely that Joker’s Stash will release additional card data in batches over the next 12 to 18 months, Gemini Advisory co-founder Andrei Barysevich said in an email.
Malware ran on WaWa payment processors from March until December, when the company discovered and stopped it, Chief Executive Officer Chris Gheysens wrote in a letter at the time. He said “potentially all” WaWa locations were affected -- a finding that aligns with Gemini Advisory’s preliminary analysis.
To contact the reporter on this story: Alyza Sebenius in Washington at email@example.com
To contact the editors responsible for this story: Andrew Martin at firstname.lastname@example.org, Robin Ajello, Andrew Pollack
©2020 Bloomberg L.P.