ADVERTISEMENT

Data Of 10,000 PNB Debit, Credit Card Holders Leaked

Names and even CVV numbers of 10,000 debit, credit card holders being sold for as little as $5 each.



Pedestrians walk past a Punjab National Bank Ltd. bank branch in Mumbai. (Photographer: Dhiraj Singh/Bloomberg)
Pedestrians walk past a Punjab National Bank Ltd. bank branch in Mumbai. (Photographer: Dhiraj Singh/Bloomberg)

After a Rs 11,400-crore fraud, a data leak has been detected at Punjab National Bank.

Personal information of 10,000 credit and debit card holders of the state-run lender was available for sale on the dark web, according to Singapore and Bangalore-based threat intelligence enterprise Cloudsek Info Security. BloombergQuint could not ascertain whether any of this data has been misused and if it has led to fraudulent transactions.

The leaked data includes details like customer names, expiry dates of cards, personal ID numbers and CVV numbers, Rahul Sasi, Chief Technology officer of Cloudsek, told BloombergQuint over the phone. “There could be multiple reasons for this hack. A thorough investigation needs to be deployed to find the source of the leak.”

Details of customers were available for as little as $5 per card on the dark web.

It has been taking place for the last three months, Sasi said. “The first date of uploading of data was November and it only stopped Jan. 28.”

The bank is already battling the fallout of a Rs 11,400-crore financial fraud in which loans were granted based on fraudulent guarantees issued via the bank’s systems. These guarantees were issued in favor of companies related to billionaire jeweller Nirav Modi and his uncle Mehul Choksi, the owner of Gitanjali Group.

The fraud, and now the data leak, call into question the operational risk management systems deployed by the bank.

Asia Times first reported on the data leak. PNB’s Chief Information Security Officer T D Virwani confirmed that the lender was working with the government to contain the fallout of the leak, the report said.

An official response to an email sent to PNB’s spokesperson on Feb. 22 night is awaited.

Sasi said the bank was not aware of the data breach until Cloudsek tipped off the management on Feb. 21 after multiple failed attempts.

The company uses machine learning to mine threats from dark web and web for its clients, Sasi said. “We had deployed crawler on the dark web, which filters data and alerts us in case of critical threats. We had deployed ‘Bank’ as a keyword on the crawler and that’s how we were alerted about the breach.”