[UPDATED]: Thousands of Malaysian credit card details leaked in massive breach

[ UPDATE 10/03/2020 16:10 ]: We’ve reached out to Nandakishore Harikumar, CEO of Technisanct, for more information on the issue. Based on the list of compromised Bank Identification Numbers that he has sent, we have now attached a list of banks that issued the compromised credit cards (see heading: Who is affected?).

Additionally, the team at Technisanct have also shared their input with the Malaysian Department of Personal Data Protection to aid their investigation.

==========

A cybersecurity startup based in India, Technisanct, recently discovered that a massive data breach has hit credit card holders in at least six countries in Southeast Asia: Vietnam, the Philippines, Singapore, Indonesia, Thailand, and Malaysia. The information that has purportedly been compromised is highly confidential in nature, including details such as CVV and PIN, according to SCMP.

The cybersecurity experts said that 37,145 credit cards have been hit in Malaysia—although credit card holders in the Philippines are the most affected, with 172,828 cards breached. The details are being dumped online, and even more card details are still being compromised.

The CEO of Technisanct, Nandakishore Harikumar, warned that these compromised details could result in losses for credit card holders—the alarming bit here is that “no one is aware” of the threat, he says. Consequently, the Computer Emergency Response Teams (CERT) in affected countries have been notified and advised to “take action”. That said, we have yet to see an official statement from Bank Negara or the authorities on the matter just yet.

SCMP also reports that CIMB Bank is one of the institutions that have been affected, although the bank denies this:

“[There is] no credible evidence that any actionable customer data has been compromised from us.”

“CIMB takes data privacy and protection seriously and has taken the necessary security measures to ensure all customers’ personal information remain secured. We continuously monitor all avenues to ensure that our customer data remains protected where possible.”

Singapore’s Monetary Authority has also “noted” that there has been an increase in data breaches—including those that involve the loss of credit card details.

Who is affected?

According to Technisanct CEO Nandakishore Harikumar, the breach is made up of a collective loss of data over the past 6 months, as opposed to a single event. Harikumar explains that there has been a huge increase in point of sale (POS) machines being attacked by malware, while phishing networks are also responsible for the loss of these credit card numbers. Basically, phishing is the act of how victims are contacted by email/telephone/text message, and tricked into revealing personal information.

In other words, banks aren’t to blame for the data loss, as these institutions are limited in the control they have over consumers’ credit card usage. The issue, according to the cybersecurity consultant, has more to do with the carelessness of users when choosing where they save their card numbers (3rd party websites).

The findings of Technisanct are also based on Bank Identification numbers (BINs), which can be used to ascertain the location and issuer of the credit cards concerned. Based on a list of BINs that Technisanct has sent over, the compromised credit cards were issued by banks in Malaysia including:

• Maybank
• CIMB
• Hong Leong
• Citibank
• Public Bank
• United Overseas Bank (UOB)
• HSBC Amanah
• RHB Bank
• Alliance Bank Malaysia
• Bank Islam
• Standard Chartered
• Bank Kerjasama Rakyat
• AmBank
• Bank Simpanan Nasional

Not the first time

This isn’t the first time we’re hearing of a massive data breach—only recently, passengers’ personal information were exposed when subsidiaries of Lion Air were affected. At the time, the files were compromised after the airlines’ cloud storage service was hacked, and information including passport details, addresses, and phone numbers were leaked online. Technisanct was also involved in the discovery of the the airlines’ breach.

At the moment, we aren’t sure how these credit card details were leaked, and we don’t know the names of the exact banks that were hit. SCMP says that cards affected were “issued by top banks” in affected regions.

For now, it’d be wise to monitor your credit card transactions. If you notice any unauthorised transactions or suspicious activity on your card, contact your bank to suspend your card immediately and notify the relevant authorities. While many vendors require a one-time password or other safeguards against credit card fraud, there are still portals that only require a CVV and basic card information to complete transactions.

[ VIA ]

Related reading