More Bad News for PNB: Card Data LeakedData Breach Appears Separate From $1.8 Billion Fraud Incident
Punjab National Bank, which has been in the news for a $1.8 billion fraud incident, got more bad news when a security company revealed that payment card information for as many as 10,000 of the bank's customers has been for sale on the dark web. The two incidents do not appear to be related.
PNB has acknowledged the breach, Asia Times reports.
CloudSek, an artificial intelligence technology-based threat intelligence company that discovered the breach, tells Information Security Media Group, that the data has been available for purchase on the dark web for over three months. Information for sale includes names, credit card numbers, expiration dates, personal identification numbers, and card verification values.
"There is no correlation between these two cases," says Rahul Sasi, chief technology officer at CloudSek. "It's pure coincidence that we discovered the breach around this time when the bank is in news for its fraudulent transactions."
How the Breach Was Discovered
Sasi describes how the breach was discovered: "On February 20, we identified a listing that claimed to have multiple cards that belonged to PNB that were put up for sale on a dark web site," he says. "Once we confirmed there was no duplication, we immediately tried reaching out to PNB using the cybercrime contact emails that were listed on their website. But that email bounced."
Sasi says his team was able to reach PNB the evening of Feb. 21. "The PNB officials were quick to respond as we got a call back the same night around 10 p.m. We provided them a detailed report about the leaked data. The next day we provided some more information and the officials ensured us of swift action."
CloudSek has crawlers deployed in the dark web, Sasi explains. "The crawlers detect such data and sends it to our machine learning software called X-Vigil. If this detects anything that is suspicious, and of interest to our clients, we immediately take action."
Sasi says PNB must now determine if the data offered for sale on the dark web is, indeed authentic.
ISMG could not get a comment directly from PNB.
Whether Other Banks Were Impacted?
CloudSek believes that no credit card details from other banks was leaked in connection with the PNB incident.
"We maintain a unique hash related to the different data leaks for the past two years, and this hash helps us identify old/invalids leaks," he says. "This is how we have come to the conclusion that only one bank had unresolved leaks that are yet to be fixed."
The cause of the leak of payment card data is not yet clear. "The source could be anywhere ranging from the bank database itself to various parties involved in the credit card processing chain," says Mumbai-based forensics expert Niranjana Karandikar.
"Attackers often target the third parties associated, so it is highly likely that the breach could have happened at a third party by exploiting vulnerabilities in the information systems," she says. "The attack could be a malware-based attack or an injection based attack. ... The insider threat possibility shouldn't be ruled out. More often than not, breaches happen due to an insider threat - intentional or accidental."
Lack of proper controls may have contributed to the data theft, says Sachin Raste, a researcher at e-Scan. "Even though organizations may implement cutting-edge technology to protect their networks, the security implementations by third-party data processors has always been Achilles Heel," he says.
That's why security practitioners say it's important to conduct frequent vendor audits and implement data loss prevention mechanisms, which can help administrators keep track of the data that end users transfer.
"The issue is more about ensuring protection of data at all endpoints irrespective of the fact that the data may leave the organizational boundary to be handled by a third party," Raste says.
Some security experts say the government must step up long-stalled efforts to form a Computer Emergency Response Team for the financial sector. "One of the roles of Fin-Cert will be constant monitoring of such activities for banks. As of today Indian Computer Emergency Response Team, or CERT-In, only issues guidelines and block harmful IP addresses. Beyond that it doesn't do much," says C.N. Shashidhar, founder at SecurIT Consultancy, a security consultancy firm based in Bengaluru.