WAWA Suffers Massive Data Breach – Estimated 30 million sets of cardholder data affected
We recently posted a blog ‘New Year, Old Threats’ and only a few weeks later another new
card data breach involving old attack methods has come to light. The Wawa chain of convenience store in the US announced it had been the victim of card data skimming
malware on its point-of-sale (POS) systems at all of its 850 locations, in a near mirror repeat
of the separate attacks on Home Depot and Target in 2014 and 2013 respectively.
The Home Depot and Target breaches involved the respective loss of an estimated 50 million and 40 million sets of cardholder data (CHD). As this Wawa infection has hit the POS systems
at approximately 850 stores and the breach went undetected for nearly 9 months, it is estimated that around 30 million sets of CHD may have been affected which would mean that this breach ranks as one of the largest in history.
This incident comes after Visa issued two security alerts at the back end of last year warning of this exact type of attack, payment-card skimming malware, at North American petrol stations. All of these breaches and many other smaller ones since 2013 have used a very similar, sophisticated attack methodology: The attackers gain access to the targets network, move laterally across the merchant’s network using hacking tools, target the POS systems or software, deploy malware or malicious updates that scrape the CHD from those systems and then exfiltrate the CHD to the attacker’s servers.
Currently, there is no information as to whether Wawa was PCI DSS compliant at the time of the breach and this is probably the because the PCI Forensic Investigators (PFIs) affectionately known as ‘the men in black’ are still conducting an investigation at the time of posting this blog. However, it’s worth reminding ourselves of some of the PCI DSS’ requirements which would help prevent such an attack being successful.
Requirement 1 includes a multitude of controls around firewalls, network traffic, and network segmentation designed to prevent attackers gaining access and moving around inside the network. There are also controls about deploying intrusion detection/prevention systems (IDS, IPS) in Requirement 11 which monitor any attempts to get close to critical systems such as POS devices. Requirements 7 and 8 have many controls designed to restrict access privileges and control who can change those privileges. Requirement 5 includes details about using effective anti-malware software, and Requirement 6 has a large number of controls on patching, updating, and change control to help prevent un-authorised modifications to software.
Finally, there is the key issue that this breach went undetected for a long period of time. Requirement 10 features almost exclusively controls for logging and monitoring systems as well as alerting on security events and unusual activity. Historically within the payment card industry, this is one of the least complied with requirements and unfortunately taking nearly 9 months to discover a breach is not unusual. These long delays in discovering breaches should be salutary lessons for all of us in terms of continuously logging and monitoring.
Organisations need to be sure that they are maintaining compliance at all times, but more than that you need to be confident that you have correctly assessed the scope of the PCI DSS so systems are not missed and you continue to monitor the scope for changes. One of our highly skilled QSAs will be delivering a webinar on the finer points of scoping, if you’d like to learn more. Signing off as your friendly neighbourhood QSA.