Wawa data breach part of ‘concerning’ industry trend?

Visa in November warned of a “concerning trend” of hackers targeting the point-of-sale (POS) systems of North American fuel dispenser merchants. For example, in August and September 2019, Visa’s payment fraud disruption team investigated two separate breaches at fuel dispenser merchants.

The attacks involved the use of POS malware to harvest payment-card data from fuel dispenser merchant POS systems.

“Card skimming at fuel pumps remains a pervasive and increasing threat for fuel dispenser merchants,” Visa said. “However, these recent, more technically-advanced threat campaigns targeting fuel dispenser merchant POS systems marks a concerning trend that will likely continue.”

In one case, the report stated, “the threat actors successfully compromised the merchant’s network through a phishing e-mail that contained a malicious attachment.” Once the malware was deployed on the merchant’s network, it gained access to payment card data from the targeted POS system.

A month after Visa’s alert was issued, Wawa announced its breach that involved malware that affected payment card information, including credit and debit card numbers, expiration dates, and cardholder names on payment cards used at potentially all Wawa in-store payment terminals and fuel dispensers beginning at different points in time after March 4, 2019, and ending on Dec. 12. In an open letter to customers, Wawa CEO Chris Gheysens disclosed the store’s information security team discovered malware on Wawa payment processing servers on Dec. 10 and that the malware was blocked and contained by Dec. 12.

“This malware affected customer payment-card information used at potentially all Wawa locations beginning at different points in time after March 4, 2019 and until it was contained,” Gheysens said.

Following discovery of the malware, Gheysens said the company “immediately initiated an investigation, notified law enforcement and payment-card companies, and engaged a leading external forensics firm to support our response efforts.”

“At this time, we believe this malware no longer poses a risk to Wawa customers using payment cards at Wawa, and this malware never posed a risk to our ATM cash machines,” Gheysens said.

Risk mitigation measures

For chief compliance officers and chief risk officers, the warning is this: Threat actors are able to obtain payment card data due to merchants’ lack of secure technology—such as point-to-point encryption or tokenization. Also important is compliance with the Payment Card Industry Data Security Standard (PCI DSS), a set of security standards designed to ensure companies that accept, process, store, or transmit credit-card information maintain a secure environment.

“The targeting of fuel dispenser merchants is the result of the slower migration to chip technology on many terminals, which makes these merchants an attractive target for criminal threat actors attempting to compromise POS systems for magnetic stripe payment card data,” Visa said.

In its report, Visa recommends fuel dispenser merchants should deploy terminals that support chip technology “wherever possible to deter attacks targeting POS environments, as well as the fraud that occurs at non-chip POS terminals.” Of note, Wawa said this week it will implement chip technology at its gas pumps across all stores, expecting the work to be completed in 2020, according to the Philadelphia Inquirer.

Visa further recommends fuel dispenser merchants take the following measures to prevent a similar attack:

• Deploy and enable chip acceptance on all POS devices;
• Deploy point-to-point encryption;
• Educate employees about cyber-threats and phishing;
• Provide each admin user with their own user credentials;
• Secure remote access with strong passwords;
• Monitor network traffic for suspicious connections and log system and network events;
• Implement network segmentation, where possible, to prevent the spread of malicious software and limit an attacker’s foothold;
• Verify the implementation of required security patches, as required by the PCI DSS; and
• Maintain compliance with all security controls defined in the PCI DSS.

In the event of a confirmed or suspected breach, Visa recommends referring to its “What to do if Compromised” report, published October 2019.