3 Takeaways From the Wawa Data Breach

Echoing incidents like Target and Home Depot, convenience store chain Wawa saw the theft of tens of millions of payment cards via malware installed in its point of sale system. It’s a familiar story, yet still, one that has many lessons to teach.

In late January, the payment card information of 31 million individuals surfaced on the dark web. As reported by Search Security, a cybersecurity-focused Tech Target publication, the information was stolen from convenience store chain Wawa. The chain disclosed in December that malware had been operational on its payment card servers for several months across more than 40 U.S. states. 

It’s an all too familiar story. It directly echoes what transpired in 2014 with Home Depot and in 2013 with Target. It’s also a remarkable display of negligence on Wawa’s part.

The good news is that, as with any major data cyber incident, there are lessons to be learned if your business knows where and how to look. 

All Devices Must Be Secured

Per tech publication ZDNet, Wawa disclosed that the malware was operational from early March to mid-December. Seven months too long. It’s clear that Wawa did not do enough to monitor and secure its payment processing infrastructure.

With that in mind, if a device on your corporate network interacts in any way with sensitive data, you need to treat it with the utmost care. You need to make sure it’s properly protected against intrusion. And failing that, you need to have the necessary tools in place to detect and mitigate any suspicious activity. 

Vendors And Partners Can Easily Put Information At Risk

Wawa put credit card data from thousands of financial institutions at risk. Those institutions themselves did nothing wrong, but it doesn’t matter. One way or another, they still need to deal with the fallout of the breach.

Securing your supply chain is every bit as important as securing your own infrastructure. If you do not hold your vendors and partners to the same security standards as your own organization, you cannot adequately protect your data. Make it clear to any businesses you work with that you expect them to treat your data with the utmost care, and implement security tools that will allow you to mitigate the risks of those that do 

Customer Data Is Still Incredibly Valuable

According to cybersecurity agency Gemini Advisory, payment cards currently sell for about $17 a piece. While individually that might not amount to much, it adds up fast. As a result, there’s big money to be made from selling stolen customer credentials, from payment information to personal data. 

Corporate data can be locked down with ransomware, but it’s a lot harder to sell a product roadmap or proprietary information to a competitor than it is to sell someone’s identity on the black market. 

It’s no surprise that the Wawa breach occurred. It’s far from the first of its kind, nor will it be the last. At this point, all we can do is try to learn from the convenience chain’s mistakes, so that we avoid repeating them.