Cyber Incident Victim: Wash Tub

The Wash Tub, a San Antonio-based business, publicly disclosed a payment card breach on November 12, 2020, following an investigation into suspicious activity reported on customer payment cards. The incident spanned approximately thirteen months, from September 2019 through October 2020. The company initiated a forensic investigation after receiving notifications about anomalous transactions linked to cards used at its locations. Investigators identified malicious software deployed on payment systems that enabled unauthorized third parties to access cardholder data during transactions. The breach impacted multiple Wash Tub locations, though the organization did not specify whether all sites were affected or provide a definitive list of compromised facilities despite external inquiries. The malicious software operated undetected for over a year before investigators discovered and eradicated it from systems.

The forensic investigation confirmed that attackers exfiltrated payment card details through the malware, prompting The Wash Tub to implement security upgrades including payment terminal replacements and enhanced protective measures. The company issued public notifications advising customers who visited any location during the breach window to vigilantly monitor their payment card statements for unauthorized transactions and report fraud directly to their financial institutions. No specific details regarding the number of affected individuals, types of cards compromised, or forensic attribution to threat actors were disclosed in the public notice. DataBreaches.net attempted to clarify the scope of impacted locations through direct outreach but received no response from The Wash Tub prior to publication. The organization directed customers to its website for additional information while emphasizing remediation efforts to secure payment processing systems post-breach.