Another scam hits PNB: customers’ card data on sale for Rs320

23 Feb 2018

Some 10,000 credit and debit card holders have been affected by a data breach reported by Punjab National Bank (PNB), which is already reeling under a Rs11,300 crore financial fraud by two fugitive jewellers.

According to a report in The Asia Times, security experts believe sensitive information on the cards has been available for purchase through a website for at least three months.

The data includes names, expiry dates, personal identification numbers and even card verification values of around 10,000 bank account holders. The leaked data was available in two packages, one with CVV numbers and the other without, according to the report citing sources.

The Hong Kong-based publication reported that this information has been available on the internet for the last three months. The breach was discovered by CloudSek Information Security, a Singapore based company that keeps a close eye on data transactions, even on sites that are unlisted on Google Search or other major search engine.

According to the report, the bank was unaware of the data breach until CloudSek tipped it off on Wednesday night.

''We have a crawler that is deployed in the dark / deep web. These are sites on the internet which are not indexed by Google or other major search engines. They are used to buy and sell sensitive data illegally,'' CloudSek 's chief technical officer Rahul Sasi told the paper.

''Our crawler detects any such data and sends it to a Machine Learning software that we have created. If this detects anything that is suspicious, and of interest to our clients, we immediately take action,'' Sasi added.

The agency claims that the data has been on sale for $4.90 (Rs320) per card. "Usually these sites on the deep / dark web build up reputations on the authenticity of the data they sell illegally. This particular site has a very good reputation. They offer a sample size to buyers to establish their credentials before the sale is made. In this case they were offering to sell the data at US$4.90 per card," Sasi said.

He added the company had to pass on the details through a government agency as they were unable to contact PNB after detecting the breach as CloudSek is not a customer at the bank.

PNB's chief information security officer T D Virwani has confirmed that it is working with the government to contain fallout from the release of the data.

Government officials who are aware of the breach told the paper that they have been trying to establish the extent of the problem. As of now, they have discovered sensitive information from as many as 10,000 credit cards issued by the bank.

The last updated data had a time stamp of 29 January 2018, indicating that they were current details of customers.

''We believe, on preliminary analysis, that the data has been available for at least three months. While this is yet to be firmly established, we are carrying out our forensic investigation,'' a government official familiar with the case told the paper.

Both the private and government agencies are investigating how the breach occurred.