Credit card details from at least six countries in Southeast Asia including Malaysia may have been stolen and leaked online, according to a new report.
Technisanct, a cybersecurity company based in India said during a research to analyze threats to the financial sector in the South East Asian countries, it found a series of data breaches involving credit card details issued by top banks in Singapore, Malaysia, the Philippines, Vietnam, Indonesia and Thailand. “The data dumps found in various dark-web forums where it is put on sale, had more than 300K payment card details including their CVV, Expiry date,” it said in a press release.
The research found that credit card holders in the Philippine were the worst hit, with 172,828 cards breached, while Malaysia and Singapore had 37,145 and 25,290 cards breached respectively. The breach may have affected both credit and debit type of payment card.
|Country||Affected BINs (Bank Identification Numbers)||Breached Cards|
The researchers from Technisanct believe that these payment card numbers may been collected using phishing network, through some kind of malware attack on individuals, fraudulent apps or through POS (point of sale (POS) machines where consumers swipe their cards to make payment.
In one media report by the South China Morning Post (SCMP), CIMB Group Holdings is allegedly one of the affected banks – said it had “no credible evidence that any actionable customer data has been compromised from us”.
“CIMB takes data privacy and protection seriously and has taken the necessary security measures to ensure all customers’ personal information remain secured. We continuously monitor all avenues to ensure that our customer data remains protected where possible,” a spokesperson to SCMP.
Cybersecurity Malaysia and the central bank (Bank Negara Malaysia), which regulates financial institutions, declined to comment in the media report.
“The results are alarming as it seems no one is aware that such a huge volume of payment card details – including the CVV and PIN – are available,” said CEO Nandakishore Harikumar, referring to the card verification value and personal identification number.
Anyone with access to those details could cause financial losses to the owner of the cards, he added.
According to Nandakishore, in the past week his team had identified even more cards available for sale from these six countries. Although many systems required a one-time transaction password, there were portals that did not require this, he said.
Nandakishore said he had emailed the Computer Emergency Response Team (CERT) – which handles cybersecurity incidents – in each country and advised them to take action, although not all had responded.
It is believed that the Malaysian Computer Emergency Response Team (MyCERT) is investigating the issue.
[Source 1]– Technisanct Press Release
[Source 2]– SCMP