In this Security Alert, CBI reviews the recent Wawa credit card breach, what it means for consumers and how companies can prevent similar breaches in the future.
As detailed in this article in The Hacker News, hackers stole customer credit card details from convenience store retailer Wawa and posted the information to a marketplace on the dark web. The data breach leaves more than 30 million sets of payment records potentially exposed, including credit card numbers, expiration dates and consumer names.
This breach potentially affects customers who purchased from any Wawa convenience store from March to December of 2019. Here are some tips for consumers and best practices for retailers to prevent similar breaches.
For users, our recommendations are quite simple. First, one of the simplest and easiest methods to protect yourself is to make a habit of using your credit card rather than your debit card for day-to-day purchases. Credit cards have purchase protection for situations exactly like this where a breach happens outside of your control and credit card information is sold on the dark web. Yes, unauthorized purchased to your debit card can be reversed, but it’s a 30-90 day process that directly impacts your personal funds. Unauthorized credit card purchases on the other hand can be reversed instantly because there are built-in protections for this type of scenario.
It’s also good to sign up for a dark web monitoring service, that way all your personally identifiable information such as social security number, address or email is continuously monitored for suspicious activity. If your data does appear on the dark web, this type of monitoring service can alert you quickly so you can take the necessary steps to change passwords, stop payments or change cards.
As for Wawa themselves, in this instance it appears there was malware on the actual server(s) that process credit cards.
There are a couple security controls companies can put in place to stay ahead of the curve and prevent breaches like this.
The first control method is to regularly identify and segregate critical servers that store sensitive consumer data. The more limited you make the server access, the more controlled of a data environment you’ll get.
Another recommendation is to harden your servers in a way that limits their ability to function outside of a very specific set of whitelisted functions. You’ll also be alerted to any attempts to access the machine outside of approved users/credentials. Even if the credentials of approved user(s) get compromised and used to access the hardened machine, if properly implemented, that user or users still will not be able to install/move/retrieve data from the hardened server. While firewalls and antivirus are great, hardening the actual box is a quick and easy way to use policy to defend your critical system(s).
Lastly, be sure to make use of tokenization. Essentially, you should never store customer credit card info on your servers. With tokenization, data is encrypted before it is ever stored on database servers. Tokenization replaces identified data with a randomly generated string of characters. The actual customer credit card info is never stored or even seen, and the token basically substitutes for the card data. Choosing a payment gateway with tokenization will minimize risk of such breaches greatly as well.