More than 30 million payment card records stolen in the hack of East Coast convenience store and gas station operator Wawa Inc. in December have appeared for sale on a “dark web” marketplace.

The hack included all of Wawa’s 850 locations and involved the theft of customer names, card numbers and expiration dates at both at gas pumps and inside pay stations. The dark web is a shady part of the internet reachable with special software, where illicit goods and services are for sale.

The number of records stolen was never disclosed by the company but thanks to those behind the hack, we now knows how many: more than 30 million payment card details from more than 40 states and an additional 1 million payment card records from Europe, Asia and elsewhere.

The stolen data was discovered by security firm Gemini Advisory LLC on the Joker’s Stash marketplace, one of the largest and most notorious dark web marketplaces for buying stolen payment card data. The data was first uploaded for sale Jan. 27 with the breach titled “BIGBADABOOM-III.” The median price of U.S.-issued records from the breach is said to be currently $17, with some of the international records priced as high as $210 per card.

“It’s been a month since the Wawa breach was discovered that the card information is showing up as available for criminal hackers,” James McQuiggan, security awareness advocate at security awareness training firm KnowBe4 Inc., told SiliconANGLE. “At this point, it is unlikely that a lot of these card numbers will be sold because the Card Verification Value information wasn’t part of the data breach and thus makes them difficult to use in the wild.”

But he added that the card information could be used for spear-phishing attacks against the consumers, as they pretend to be the credit card organization.

“The email would be carefully crafted to be from the credit card company, informing them the card was stolen and certain actions need to be taken to prevent any future fraud,” he explained. “They word the email to get the person to click on a link to reset a password or request a new card. This type of trick is common and the consumer may take action without verifying the email first, which could expose their information to a greater risk.”

Robert Capps, vice president of market innovation for biometrics firm NuData Security, a Mastercard company, noted that many retailers and are suffering from point-of-sale attacks as hackers deploy malware within the merchant payment ecosystem.

“Once stolen, this card data, including card number, expiration date, CVV and some consumer information, are sold on the dark web to hackers who are amassing this stolen information for counterfeit card and card-not-present fraud,” Capps said. “Millions of user records flood the dark web, available for cybercriminals to use to create synthetic identities or to steal whole identities: to open up new lines of credit, new credit cards, or use passwords to take over online accounts.”

Explaining that the security in many U.S.-issued PoS terminals and cards is lacking, Mark Bell, executive vice president of operations at network security solutions company Digital Defense Inc., said that’s why it’s important that merchants and card issuers fully adopt EMV (for Europay, Mastercard and Visa) chip and contactless technology to prevent card-present fraud.

“Although the magnetic stripe likely will not go away for years to come, card readers should not allow the use of the magnetic stripe if a card is EMV chip-enabled,” Bell said. “It’s hard to understand how a breach of this magnitude is still occurring in today’s card-present security environment. If the point-of-sale terminals in use were in fact not EMV-capable, the liability for the fraud will fall entirely on Wawa.”

Photo: Wikimedia Commons