Hackers may have bagged millions of credit card numbers in Wawa breach last year

At the end of last year, popular convenience store chain Wawa confirmed it was the latest victim of today’s all too common data breaches. Now we’re learning more on the potential scale of the hack. Krebs on Security has reported that more than 30 million credit card numbers could have been stolen. While CVVs and PINs were not captured, affected customers are still at risk.

The news comes after a “fraud bazaar” called Joker’s Stash on Monday began selling a new batch of stolen card numbers. Fraud experts speaking to Krebs on Security tied the numbers directly back to cardholder purchases at Wawa. The convenience chain announced the breach on December 19th, 2019, saying that it had discovered card-stealing malware installed on its payment processing systems that would copy magstripe data when a card was swiped.

This was preventable, folks — What’s most frustrating about this hack is that it probably wouldn’t have occurred if the United States wasn’t so laughably behind on updating credit cards to the stronger chip-based security (the cards you dip rather than swipe) that the rest of the world uses.

Chips are much harder and more expensive for criminals to copy than magstripes because the chips hold your data in an encrypted format, whereas magstripes store the card number in plaintext. It's hard to make a new physical chip and copy data over. Consequently, hackers have started focusing more on stealing credit card information online through compromised websites and database breaches.

As Krebs on Security notes, gas stations were originally mandated to install chip-readers by October 1st, 2017 or face steep liability in the face of breaches, but due to the costs associated with installing the readers, Visa extended the deadline until October 1st, 2020.

Wawa passes the consequences to you and your bank — Apparently, the headache placed on consumers doesn’t matter because they can just call up their card company and get reimbursed, meaning someone else is taking on the costs for Wawa’s laziness. In a statement, Wawa continued to urge customers to monitor their credit card statements for fraudulent purchases and report anything suspicious to their bank.

If I sound annoyed, don’t get it twisted: I still love Wawa sandwiches and it’s absolutely worth the risk to continue buying them.