Security experts believe sensitive info on the cards has been available for purchase through a website for at least three months,
Some 10,000 credit and debit card holders have been affected by a data breach said to be reported by Punjab National Bank (PNB), which is already reeling under a multi-crore rupee financial fraud by two fugitive luxury jewellers.
Security experts believe sensitive information on the cards has been available for purchase through a website for at least three months, the Asia Times reported quoting sources.
Punjab National Bank (PNB) is in the midst of one of the biggest scams in banking history, opening a can of worms worth over Rs 11,300 crore (USD 1,771.69 million) for the banking sector. The fraudulent transactions likely to have been going on for last seven years were unearthed by PNB at one of its Mumbai branches.
According to the report, the bank was unaware of the data breach until a Singapore-registered information security company, CloudSek Information Security, tipped it off on Wednesday night.
“We have a crawler that is deployed in the dark/deep web. These are sites on the internet which are not indexed by Google or other major search engines. They are used to buy and sell sensitive data illegally,” Chief Technical Officer Rahul Sasi told the paper.
“Our crawler detects any such data and sends it to a Machine Learning software that we have created. If this detects anything that is suspicious, and of interest to our clients, we immediately take action,” Sasi added.
Sasi added the company has to pass the details through a government agency as they were unable to contact PNB after detecting the breach as it is not a customer at the bank.
The PNB’s Chief Information Security Officer TD Virwani has confirmed that it was working with the government to contain fallout from the release of the data, which was offered through a website.
Government officials who are aware of the breach told the paper that they have been trying to establish the extent of the problem. As of now, they have discovered sensitive information from as many as 10,000 credit cards issued by the bank.
The sensitive information includes names, expiry dates, Personal Identification Numbers and Card Verification Values. The last updated data had a time stamp of January 29, 2018 indicating that they were current deatils of customers.
“We believe, on preliminary analysis, that the data has been available for at least three months. While this is yet to be firmly established, we are carrying out our forensic investigation,” a government official familiar with the case told the paper.
The PNB’s Chief Information Security Officer did not comment on the breach.
Currently, both the private and government sectors are investigating how the breach has occurred. They are assuming the data could have come from a laptop or mobile phone carried by a bank customer that was infected with a malicious code, or from a third party.
Payment gateways are also being checked, however, an investigator told the paper that chances are higher that the bank’s security was compromised, as a large amount of data came from a single source.
“Usually these sites on the deep/dark web build up reputations on the authenticity of the data they sell illegally. This particular site has a very good reputation. They offer a sample size to buyers to establish their credentials before the sale is made. In this case they were offering to sell the data at US$4.90 per card,” the investigator told the paper.Sasi stated that all these were possible options, but there wasn’t enough information yet to be certain how the leak had taken place.