Embattled Punjab National Bank has reported a data breach affecting as many as 10,000 credit and debit card customers, and security experts believe that sensitive information has been available for purchase through a website for at least three months.
The disclosure will raise further questions about security levels at the bank, which is already under stress over a reported US$1.77 billion fraud involving fake letters of guarantee that were allegedly used by leading jeweller Nirav Modi to raise funds from banks. Two PNB employees allegedly colluded with Modi and his uncle in the scam.
Asia Times has learned that PNB was not aware of the data breach until it was tipped off on Wednesday night by CloudSek Information Security, a company registered in Singapore but mainly operating in Bengaluru, India, that monitors data transactions.
“We have a crawler that is deployed in the dark/deep web. These are sites on the internet which are not indexed by Google or other major search engines. They are used to buy and sell sensitive data illegally,” said chief technical officer Rahul Sasi. “Our crawler detects any such data and sends it to a Machine Learning software that we have created. If this detects anything that is suspicious, and of interest to our clients, we immediately take action.”
He said CloudSek was unable to contact PNB after detecting the breach as it is not a customer at the bank, but eventually passed the details through a government agency. Asia Times knows the website’s name but is withholding this information at the request of investigators.
Government officials who are aware of the breach said other relevant agencies had been alerted and they were trying to establish the extent of the problem. So far, they have discovered sensitive information from as many as 10,000 credit cards issued by the bank.
This includes names, expiry dates, Personal Identification Numbers and Card Verification Values. Sasi said two sets of data were released: some with CVV numbers and some without. The last date stamp on the data is January 29, 2018, indicating that the details are still current for thousands of card customers.
“We believe, on preliminary analysis, that the data has been available for at least three months. While this is yet to be firmly established, we are carrying out our forensic investigation,” said a government official familiar with the case. Virwani was asked by Asia Times to comment on the breach, but has not yet responded. A message received from him states that he was not authorized to respond to the media and the queries have been forwarded to the Corporate Communications department. The story will be updated as and when a response is received.
Investigators in both the private and government sectors are still trying to determine how the breach occurred. It is thought the data could have come from a laptop or mobile phone carried by a bank customer that was infected with a malicious code, or from a third party. Payment gateways also had access to the data.
But an investigator said it was more likely the bank’s security was compromised, as a large amount of data came from a single source.
“Usually these sites on the deep/dark web build up reputations on the authenticity of the data they sell illegally. This particular site has a very good reputation. They offer a sample size to buyers to establish their credentials before the sale is made. In this case they were offering to sell the data at US$4.90 per card,” he reported.
Sasi said all options were possible, but there wasn’t enough information yet to be certain how the leak had taken place.
It is the second big data leak in recent years in India. In October 2016 more than 3.2 million credit and debit cards issued by numerous banks had to be recalled after customers reported they were used illegally in China and other countries. An investigation revealed that computer systems of a private payment services firm that manages ATM machines for a large Indian bank had been hacked.
(The story has been updated to show that the PNB has still not responded to queries from Asia Times. PNB has stated that the queries have been forwarded to the Corporate Communications department, since the CISO is not authorized to speak to the media)