Punjab National Bank is reeling under great stress due to the Rs 11,400 crore banking fraud that happened recently. To add to the problems, a new data breach has been reported by The Asia Times, which has allegedly compromised sensitive data of some 10,000 credit and debit card holders.
The report suggests that the data includes names, expiry dates, personal identification numbers and even card verification values of around 10,000 bank account holders. The leaked data had two sets of packages one with CVV numbers and the other without.
The Hong Kong based publication reported that this information has been available on the internet since three months. The breach was discovered by CloudSek Information Security, which is a Singapore based company that keeps a close eye on data transactions, even on sites that are unlisted on Google Search or any other major search engine.
According to Sasi, Chief Technical Officer of CloudSek, there are certain crawlers deployed by them that keep checking for anomalies in transactions. In his statement to the Asia Times he said, "We have a crawler that is deployed in the dark/deep web. These are sites on the internet which are not indexed by Google or other major search engines. They are used to buy and sell sensitive data illegally."
He further added, "Our crawler detects any such data and sends it to a Machine Learning software that we have created. If this detects anything that is suspicious, and of interest to our clients, we immediately take action."
The agency claims that the data has been on sale for $4.90 per card (Roughly Rs 320)."Usually these sites on the deep/dark web build up reputations on the authenticity of the data they sell illegally. This particular site has a very good reputation. They offer a sample size to buyers to establish their credentials before the sale is made. In this case they were offering to sell the data at US$4.90 per card," he reported.
In the report, the cyber security agency claims that they failed to setup direct communication with the bank and had to go through a government agency to relay the information. There are no details regarding the source of the leak. Concerned government agencies have been alerted and are trying to evaluate the extent of leak.