Payment Gateway Data Breach Exposes Financial Details of 324,000 users— Data Dump Also Includes CVV Numbers.
Attacking high profile websites and companies, stealing huge databases and dumping the data online seem to be the latest trend in the hacking community. In the latest breach, nearly 324,000 users have been affected as a payment gateway BlueSnap or its affiliate RegPack became a victim of data breach.
The data has been dumped in a file that has been titled Bluesnap_324K_Payments.txt. None of these companies has admitted that a data hack has occurred. The worst part is that the data dump also includes CVV numbers of some users.
For your information, BlueSnap is a Waltham, Massachusetts, based payment processing service that lets users take payments from its customers by providing merchant services. RegPack, on the other hand, is an internationally known online enrollment platform that utilizes BlueSnap for processing the financial transactions of all of its enrollments online.
According to reports, the data hack occurred on July 10th, and the hacking news became public when the hacker posted a link on Twitter that contained financial data of 324,000 users. This particular tweet has already been deleted.
Australian security expert and owner of the breach notification website Have I Been Pwned, Troy Hunt, reviewed the link and identified that all the leaked records are authentic. This data dump includes details of those users who got themselves registered with the service during March 10th, 2014 and May 20th, 2016. The database includes details such as member names, email IDs, physical addresses and contact information, IP addresses and even Credit Card numbers’ last four digits. However, what’s most annoying is that it also contains CVV codes and invoice information that contains details about the purchases made so far.
Hunt believes that it is quite probable that the data belongs to BlueSnap because there are files that contain filenames with BlueSnap and Plimus, which is the original name ofBlueSnap. For your information, BlueSnap was renamed in 2011 after a private firm acquired its rights for $115 million. But, the payment platform of BlueSnap has been used by RegPack since April 2013. Therefore, it is quite likely that the data hack occurred through RegPack.
In his blog post, Hunt explained the key points of this data hack: “We have got 899 totally separate consumers of the RegPack service…who send their data direct to
RegPack who pass payment data onto BlueSnap for processing. Unless I am missing a fundamental piece of the workflow… it looks like accountability almost certainly lies with one of these two parties.”
Regardless of the source of the hack, the main concern right now is that the sensitive financial information of such a humongous amount of users is circulating on the web. It is true that the payment doesn’t contain complete credit card numbers but it is still possible for cyber-criminals to use this information for committing frauds. Especially, presence of CVV codes, which is very valuable data for hackers, makes the situation even more alarming. This code can help in conducting “card not present” transactions.
What we can recommend you is to never store CVV codes if you use them at any time. Not even write them on paper, include in logs or save them on disk. Also, regularly review your logs and debug them to ensure that you aren’t storing sensitive data mistakenly. Never let programs and applications add data collection features to production codes unless you have personally approved it. Lastly, if you record calls never record the parts that contain credit card details and similar confidential data.
Flickr/Debra Jane Seltzer