Wawa Credit Card Data Breach Part 2 - Is Your Data Secure?

The Wawa credit card data breach is one of the worst retail failures of data security in recent history. 

Last week we reported on the consumer side of the Wawa credit card data breach that, as far as we can tell, affected every single swiped payment card between March and December 2019. In a nutshell, Wawa discovered a security breach back on December 10th, 2019 involving all of their POS systems, fast-forward to January 28th, 2020 and Wawa released a statement acknowledging that the recently stolen card holder data was featured on “Joker’s Stash”, a sprawling virtual hub of stolen card data that has served as the distribution point for accounts compromised in many of the retail card breaches. 

 This week, we will take a quick dive into some of the likely causes of the credit card data breach, baseline security controls that should have been in place, and some of the ways that GoVanguard recommends to help prevent security incidents like this from happening to your organization. 

Wawa Credit Card Data For Sale on “Joker's Stash”

So What Happened?

The root cause behind most data breaches perpetrated by external malicious actors (including this one) is typically poor implementation of administrative, technical and physical security controls. In the case of Wawa, malware was installed on multiple POS (point of sale) terminals – which is a common asset for malicious actors to target. 

The concerning part of the security incident, as told from Wawa’s own narrative, is that the malware was able to laterally move across multiple Wawa stores and all the way to central POS payment processing servers.  This means that it is likely that Wawa had no or poor network segregation in place which violates a core requirement of PCI-DSS: the standards which apply to all organizations that process card holder data (credit card and debit card transactions). It seems that Wawa did not have basic security and network segregation mechanisms in place like robust access control lists (ACLs) because physical stores should not be able to directly communicate between one another. Basic security controls like ACLs help prevent the lateral movement of malicious actors between information systems and contain the malicious actor to a specific location or system domain. 

Furthermore, the fact that the security breach went undetected for over nine months suggests that Wawa did not have any NIDS (network intrusion detection software) systems in place or it was not being monitored by staff – another PCI-DSS requirement for an organization like Wawa.  

Lastly, Wawa unable to specify which stores were affected and which stores were not affected by the security breach. Wawa’s inconclusive response suggests that they had very little logs to analyze and pinpoint the exact lateral movement path of the malicious actor behind the security breach. This means there was probably no centralized logging facilities or SIEM (security information event management) in place – another PCI-DSS requirement for an organization like Wawa. 

What Happens Next?  

The reputational and financial damage that this security breach will cause Wawa in the mid-long term is inestimable but Classaction.org says that the retailer is “swamped” with litigation; noting at least 11 major, federal lawsuits at this current moment.  

On January 29, 2019, Inspire Federal Credit Union added themselves to the list of plaintiffs. An unnamed, but official spokesman for Inspire Federal Credit Union stated:  

“Furthermore, time will tell whether plaintiff is subject to an imminent threat of future harm because Wawa’s response to the data breach is so inadequate that it is doubtful that it has cured the deficiencies in its data security measures sufficiently to prevent a subsequent data breach.” 

Concisely put, it is apparent that Wawa had an immature information security program with deficiencies across many security controls including network segregation, malware detection, intrusion detection and centralized systems logging. All of these deficient security controls could have been enumerated and analyzed easily with a cybersecurity risk assessment, information security program gap assessment or network penetration test.  

What Can My Company Do To Avoid a Similar Breach?

The Wawa security breach demonstrates a worst-case scenario for a retailer that depends on the trustworthiness of their brand, especially given the failure of so many basic security principles. 

GoVanguard is a cybersecurity provider on the forefront of an ever-changing, complex security landscape. We provide both snapshot-based and continuous security testing services including risk assessments and web/network penetration tests. 

Reach out to us today and see how easy it is take control of your security and keep your brand’s reputation secure.