Embattled Punjab National Bank has reported a data breach affecting as many as 10,000 credit and debit card customers, and security experts believe that sensitive information has been available for purchase through a website for at least three months.
The disclosure will raise further questions about security levels at the bank, which is already under stress over a reported US$1.77 billion fraud involving fake letters of guarantee that were allegedly used by leading jeweller Nirav Modi to raise funds from banks. Two PNB employees allegedly colluded with Modi and his uncle in the scam.
Asia Times has learned that PNB was not aware of the data breach until it was tipped off on Wednesday night by CloudSek Information Security, a company registered in Singapore but mainly operating in Bengaluru, India, that monitors data transactions.
“We have a crawler that is deployed in the dark/deep web. These are sites on the internet which are not indexed by Google or other major search engines. They are used to buy and sell sensitive data illegally,” said chief technical officer Rahul Sasi. “Our crawler detects any such data and sends it to a Machine Learning software that we have created. If this detects anything that is suspicious, and of interest to our clients, we immediately take action.”
He said CloudSek was unable to contact PNB after detecting the breach as it is not a customer at the bank, but eventually passed the details through a government agency. Asia Times knows the website’s name but is withholding this information at the request of investigators.
Government officials who are aware of the breach said other relevant agencies had been alerted and they were trying to establish the extent of the problem. So far, they have discovered sensitive information from as many as 10,000 credit cards issued by the bank.
This includes names, expiry dates, Personal Identification Numbers and Card Verification Values. Sasi said two sets of data were released: some with CVV numbers and some without. The last date stamp on the data is January 29, 2018, indicating that the details are still current for thousands of card customers.
“We believe, on preliminary analysis, that the data has been available for at least three months. While this is yet to be firmly established, we are carrying out our forensic investigation,” said a government official familiar with the case. Virwani was asked by Asia Times to comment on the breach, but has not yet responded. A message received from him states that he was not authorized to respond to the media and the queries have been forwarded to the Corporate Communications department. The story will be updated as and when a response is received.
Investigators in both the private and government sectors are still trying to determine how the breach occurred. It is thought the data could have come from a laptop or mobile phone carried by a bank customer that was infected with a malicious code, or from a third party. Payment gateways also had access to the data.
But an investigator said it was more likely the bank’s security was compromised, as a large amount of data came from a single source.
“Usually these sites on the deep/dark web build up reputations on the authenticity of the data they sell illegally. This particular site has a very good reputation. They offer a sample size to buyers to establish their credentials before the sale is made. In this case they were offering to sell the data at US$4.90 per card,” he reported.
Sasi said all options were possible, but there wasn’t enough information yet to be certain how the leak had taken place.
It is the second big data leak in recent years in India. In October 2016 more than 3.2 million credit and debit cards issued by numerous banks had to be recalled after customers reported they were used illegally in China and other countries. An investigation revealed that computer systems of a private payment services firm that manages ATM machines for a large Indian bank had been hacked.
(The story has been updated to show that the PNB has still not responded to queries from Asia Times. PNB has stated that the queries have been forwarded to the Corporate Communications department, since the CISO is not authorized to speak to the media)
No0w get the latest edition of all comics from amar chitra katha online book store. Visit amarchitrakatha.com for all your comics need
http://www.amarchitrakatha.com latest bedtiem stories for your kids online
Buy tanri the mantri, shikari shambu, ack latest edition – valmiki ramayana, ayodhya kand and teh ultimate collection. buy now
I lost my job a couple of months ago and I had just a few hundred bucks to my name. I was searching for ways to make money real fast and i bumped into this page from google. At first I was upset but I gave it a try anyways. I ordered for a $10,000 blank atm card and I got my card delivered here in CA. I was curious so I got up and went quickly to the atm and to my surprise I was able to withdraw $2500 that day. My card stopped working after a couple of days but I managed to withdraw $8500 in total. Thank you so much jameswellington114@gmail.com..if you want a blank atm card just email :jameswellington114@gmail.com .They are the best.
I lost my job a couple of months ago and I had just a few hundred bucks to my name. I was searching for ways to make money real fast and i bumped into this page from google. At first I was upset but I gave it a try anyways. I ordered for a $10,000 blank atm card and I got my card delivered here in CA. I was curious so I got up and went quickly to the atm and to my surprise I was able to withdraw $2500 that day. My card stopped working after a couple of days but I managed to withdraw $8500 in total. Thank you so much jameswellington114@gmail.com..if you want a blank atm card just email :jameswellington114@gmail.com .They are the best.