10,000 cardholders’ details exposed after Indian bank is breached

A data breach at Punjab National Bank (PNB) has exposed 10,000 cardholders’ payment card details, according to information discovered by CloudSek Information Security.

The cyber security company found PNB customers’ names and their payment cards’ personal identification numbers, expiry dates and verification numbers for sale on the dark web. The information has apparently been online for more than three months.

This incident comes only weeks after the announcement that PNB is to be investigated for its involvement in a $1.7 billion USD fraud scheme. Two PNB employees allegedly colluded with Nirav Modi, a Mumbai-based jeweller, to create fake letters of guarantee.

PNB is one of India’s ‘Big Four’ banks, but its response (or lack thereof) to this incident suggests that it needs to invest heavily in cyber security. CloudSek Information Security said it had been trying to contact the bank for some time, but was only able to get PNB’s attention on 21 February 2018, after passing on details of the breach to a government agency.

The majority of breaches are discovered by third parties, according to the 2017 Ponemon Cost of Data Breach Study, so it’s essential that organisations have a system in place to investigate warnings such as CloudSek’s.

The faster an organisation can identify a breach, the sooner it can shore up its defences and allow potentially affected customers to take the necessary actions. Acting quickly can also save organisations significant sums of money. Ponemon’s study found that the average cost of identifying a breach within 100 days was $5.99 million, but for breaches that took longer to identify, the average cost rose to $8.7 million.

Preventing payment card breaches

Although it’s not clear how PNB’s information was leaked, this incident shows the effects a payment card breach can have. Cyber criminals prize payment card information, as it offers many ways to make money. The information can be used to make fraudulent purchases, purchase gift cards (making the false payments harder to track) or sold to other criminals.

It’s essential that organisations do everything they can to stay secure. The Payment Card Industry Data Security Standard (PCI DSS) regulates payment card security, applying to any organisation in the world that handle payment card data.

IT Governance offers a variety of services to help you comply with the PCI DSS. Our pocket guide to the Standard, toolkits, a staff awareness course and software help you understand and implement the PCI DSS, but for comprehensive help, we recommend PCI DSS consultancy.

Our range of services help you with whatever needs you have, whether it’s scoping, gap analysis, implementation, the compliance audit, or maintenance and continual improvement.