Wawa's Data Breach

Reset the days without a major data breach back to zero.

In the constantly evolving world of cybersecurity, it doesn’t look like the phrase above will ever surpass the 30-day mark. Seems as if once a month, either a major retailer, financial institution or service provider is affected by some sort of data breach. Now Wawa, a popular east coast chain of gas and convenience stores, has taken the spotlight after a breach related to financial data was discovered to be occurring within the organization from as early as March 4. The retailer joins the long list of entities affected by data breaches in the past year: Marriott, Whitepages, Facebook, First American Financial Corp., American Medical Collection Association, Capital One and Adobe.

Details are still unclear on how an attacker was able to operate inconspicuously within Wawa’s environment for more than eight months, but one fact seems to be known: this breach most likely affected all retail/gas locations under Wawa’s purview. Additionally, it’s been confirmed from an anonymous source that an external firm was called on to assist Wawa in rectifying the data breach, but that firm has yet to be named.

At Schneider Downs, our cybersecurity team assists a multitude of clients in matters related to data breaches, PCI compliance and security awareness. Whenever a breach hits the headlines, we like to remind our readers, clients and potential clients that there is a long list of items to focus on when it comes to payment card security. As we’ve seen across the industry, sensitive cardholder data can be stored – and therefore stolen – from many places, some more obvious than others:

  1. Compromised card readers and other supporting infrastructure (e.g., RAM scrapers)
  2. Paper stored in a filing cabinet (the old fashioned way)
  3. Cardholder data stored in a payment system database
  4. Camera footage recording entry of authentication data
  5. Secret tap into the store’s wireless or wired network
  6. Customer service call center recordings

Based on the limited information we know about the Wawa breach, bulleted items 1, 3 and 5 were the most likely avenues in which the attacker was able to compromise such a large amount of data. The only good news that come out of this story is that Wawa was able to rectify the issue related to this breach within two days once it was identified. The bad news is, the hackers went unidentified in their systems for over eight months.

The best news we can hope for, though, is no more news from the data breach front as we get through the holiday season. In the meantime, we encourage all readers to monitor their payment statements over the coming months if they’ve purchased anything from Wawa in the last year.

Sources:

https://www.cnet.com/news/biggest-data-breaches-of-2019-same-mistakes-different-year/

You’ve heard our thoughts… We’d like to hear yours

The Schneider Downs Our Thoughts On blog exists to create a dialogue on issues that are important to organizations and individuals. While we enjoy sharing our ideas and insights, we’re especially interested in what you may have to say. If you have a question or a comment about this article – or any article from the Our Thoughts On blog – we hope you’ll share it with us. After all, a dialogue is an exchange of ideas, and we’d like to hear from you. Email us at contactSD@schneiderdowns.com.

Material discussed is meant for informational purposes only, and it is not to be construed as investment, tax, or legal advice. Please note that individual situations can vary. Therefore, this information should be relied upon when coordinated with individual professional advice.

© 2020 Schneider Downs. All rights-reserved. All content on this site is property of Schneider Downs unless otherwise noted and should not be used without written permission.

our thoughts on

Given Everything We Can Do Online, Why Not Voting?
Wawa Breach Update – Joker’s Stash Data Dump
Maze Ransomware
Crown Prince Mohamed and Jeff Bezos’ Rocky Relationship Leads to Hack, Murder
NSA Makes Unprecedented Vulnerability Disclosure - Microsoft Vulnerability CVE-2020-0601
Wawa's Data Breach

Register to receive our weekly newsletter with our most recent columns and insights.

Have a question? Ask us!

We’d love to hear from you. Drop us a note, and we’ll respond to you as quickly as possible.

Ask us

contact us

Map of Pittsburgh Office
Pittsburgh

One PPG Place, Suite 1700
Pittsburgh, PA 15222

contactsd@schneiderdowns.com
p:412.261.3644     f:412.261.4876

Map of Columbus Office
Columbus

65 East State Street, Suite 2000
Columbus, OH 43215

contactsd@schneiderdowns.com
p:614.621.4060     f:614.621.4062

Map of Washington Office
Washington, D.C.

1660 International Drive, Suite 600
McLean, VA 22102