Wawa, Inc. Breach Incident Score: Analysis & Impact (WAW1302913112225)

In this Rankiteo incident briefing, we review the Wawa, Inc. breach identified under incident ID WAW1302913112225.

The analysis begins with a detailed overview of Wawa, Inc.'s information like the linkedin page: https://www.linkedin.com/company/wawa-inc-, the number of followers: 106567, the industry type: Retail and the number of employees: 18645 employees

After the initial compromise, the video explains how Rankiteo's incident engine converts technical details into a normalized incident score. The incident score before the incident was 766 and after the incident was 654 with a difference of -112 which is could be a good indicator of the severity and impact of the incident.

In the next step of the video, we will analyze in more details the incident and the impact it had on Wawa, Inc. and their customers.

On 10 December 2019, Wawa, Inc. disclosed data breach, malware attack and payment card compromise issues under the banner "Wawa Data Breach (2019) – Exposure of Customer Payment Card Data".

Between March 4 and December 12, 2019, malware on Wawa's payment processing servers exposed credit and debit card data (including card numbers, expiration dates, and cardholder names) of customers who used their cards at any of Wawa's 850 stores or fuel pumps.

The disruption is felt across the environment, affecting payment processing servers, and exposing credit/debit card numbers, card expiration dates and cardholder names, with nearly millions (exact number undisclosed) records at risk, plus an estimated financial loss of $9 million (settlement payout).

In response, teams activated the incident response plan, moved swiftly to contain the threat with measures like malware removal from payment servers, while recovery efforts such as $9M settlement with eGiftCard payouts to affected customers continue, and stakeholders are being briefed through email notifications to affected customers (sent Nov 19, 2021+) and public settlement details.

The case underscores how resolved (settlement reached), with advisories going out to stakeholders covering eGiftCard settlement emails (sent Nov 19, 2021+) with subject line 'Wawa Settlement eGift Card'.

Finally, we try to match the incident with the MITRE ATT&CK framework to see if there is any correlation between the incident and the MITRE ATT&CK framework.

The MITRE ATT&CK framework is a knowledge base of techniques and sub-techniques that are used to describe the tactics and procedures of cyber adversaries. It is a powerful tool for understanding the threat landscape and for developing effective defense strategies.

Rankiteo's analysis has identified several MITRE ATT&CK tactics and techniques associated with this incident, each with varying levels of confidence based on available evidence. Under the Initial Access tactic, the analysis identified Exploit Public-Facing Application (T1190) with moderate to high confidence (70%), supported by evidence indicating malware on payment processing servers (public-facing systems compromised). Under the Execution tactic, the analysis identified Command and Scripting Interpreter: Visual Basic (T1059.005) with moderate confidence (60%), supported by evidence indicating malware on payment processing servers (commonly uses scripting for persistence/execution). Under the Persistence tactic, the analysis identified Server Software Component: Web Shell (T1505.003) with moderate to high confidence (80%), supported by evidence indicating malware on payment processing servers (8-month persistence suggests web shell or backdoor). Under the Credential Access tactic, the analysis identified OS Credential Dumping: Security Account Manager (T1003.002) with moderate confidence (50%), supported by evidence indicating malware on payment processing servers (possible lateral movement if credentials were dumped). Under the Collection tactic, the analysis identified Data from Local System (T1005) with high confidence (95%), with evidence including exposed credit/debit card details (numbers, expiration dates, cardholder names), and malware designed to steal card data and Command and Scripting Interpreter: PowerShell (T1059.001) with moderate confidence (60%), supported by evidence indicating malware on payment processing servers (PowerShell often used for data scraping). Under the Exfiltration tactic, the analysis identified Exfiltration Over Alternative Protocol: Exfiltration Over Asymmetric Encrypted Channel (T1048.002) with moderate to high confidence (85%), with evidence including data exfiltration such as likely (malware designed to steal card data), and 8-month breach suggests encrypted C2 channels and Exfiltration Over Command and Control Channel (T1041) with high confidence (90%), supported by evidence indicating malware on payment processing servers (C2 likely used for exfiltrating card data). Under the Defense Evasion tactic, the analysis identified Indicator Removal: File Deletion (T1070.004) with moderate to high confidence (70%), supported by evidence indicating 8-month undetected presence suggests log/trace cleanup and Impair Defenses: Disable or Modify Tools (T1562.001) with moderate confidence (65%), supported by evidence indicating delayed detection and communication (possible security tool tampering). Under the Impact tactic, the analysis identified Reflection Amplification (T1620) with lower confidence (30%), supported by evidence indicating fraudulent transactions (indirect impact via stolen card data) and Resource Hijacking (T1496) with moderate to high confidence (75%), supported by evidence indicating malware on payment processing servers (repurposed servers for data theft). These correlations help security teams understand the attack chain and develop appropriate defensive measures based on the observed tactics and techniques.