Personal Details of 7 Million Indian Cardholders ExposedResearcher: Data Circulating on Darknet Sites Includes PANs
Permanent Account Numbers and other personally identifiable information of 7 million debit and credit cardholders in India are circulating on darknet discussion forums, an independent security researcher has discovered.
Researcher Rajshekhar Rajaharia tells Information Security Media Group he found the data, which is hosted on an accessible Google Drive, after it had circulated on darknet discussion forums.
Rajaharia says the exposed database contains about 2GB of personally identifiable information, including names, email addresses, contact details, the types of banking accounts used and Permanent Account Numbers. A PAN is a 10-digit number used for tax purposes. The exposed information also includes whether the individuals have enabled mobile alerts for the contact details.
The data, which appears legitimate, does not include payment or credit card details, Rajaharia notes.
"I personally cross-checked the names listed with other details, such as their jobs in LinkedIn, and in the first 100 cases I was able to identify the individuals with ease," Rajaharia tells ISMG.
The researcher adds that the Google Drive is owned by someone called "Physician Craze." He says that individual may have scraped the data from other sources, such as third-party service providers contracted by banks to market payment cards.
Rajaharia says he found the data on Dec. 2, and it appears to have been uploaded on Google Drive on June 21. It’s not clear, he says, whether the data is from a single source or was compiled from multiple sources.
“The posting of this data should be used to call for stricter data protection laws in India," Rajaharia says.
Potential Use for Fraud
Brandon Hoffman, CISO at the security firm Netenrich, notes that it's important to find the source of this information to determine who might have had data exposed and if others are affected.
"If it was from a healthcare facility or a retail chain, what other information may have been taken and not found?” Hoffman asks. “Has this data been used to further the fraud attack chain?"
Since the start of the global COVID-19 pandemic, several large Indian organizations have been targeted by hackers.
In October, Dr. Reddy's Laboratories, a multinational pharmaceutical company based in India that’s testing a COVID-19 vaccine, was the victim of a ransomware attack. The incident forced the firm to shut down plants in India, Brazil, Russia and the U.K. to prevent further spread (see: Indian Pharmaceutical Company Investigates Security Incident).
In the same month, Haldiram's, a snacks manufacturer, suffered a ransomware attack in which attackers encrypted files and demanded a ransom, according to the Times of India.
In September, a hacking campaign targeted India's defense forces, including individual soldiers, with phishing emails and malware designed to steal data, according to Seqrite Cyber Intelligence Labs (see: Hackers Target India's Military).