Personal data of over 70 lakh Indian debit and credit card users have been scraped and posted online, according to information from independent Indian cyber security researcher, Rajshekhar Rajaharia. The information, which Rajaharia found, was scraped from Dark Web forums where the data is being circulated among potential customers. In security parlance, such data can be used for a wide range of nefarious cyber activities, including indentity theft, online impersonation, phishing attacks, spamming and other related cyber criminal activities. Offering validity to his claim, Rajaharia shared a corresponding Google Drive folder with News18, which contains mass data of credit and debit card users in India. The dump accessed by News18 contains a 1.3GB folder comprising 58 spreadsheets, each categorised either by bank or city, and contains hundreds and thousands of entries in each.
The data sheets, however, do not contain the full credit card numbers or any identifiable credit card details of users. Instead, the data sheets include phone numbers, credit card type, income status and annual earnings, date of birth, city of residence, and in some cases, identification document type and number. Given the nature of the data put together, the folder appears to be a collated list from various sources, which themselves were likely scraped from unsecuredly saved sensitive data by unknown third party service and operation partners that banks often work with. While the said data cannot be directly used to undertake financial transactions from, it does have enough identifiable factors to allow scammers to work with.
The extent of the data leak covers most major Indian cities, hence being of even greater significance. The folder has been shared on the Dark Web and may have even been put up for sale. However, given the primary nature of the data on offer, it is not clear if in the present cyber crime environment, such data would really be of any major significance to attackers. News18 could not independently confirm the forums on which the credit card folders were originally shared, since given the scope of the internet, the information could have already been distributed far and wide. Rajaharia, who initially reached out to Inc42 to report the discovery, has claimed to have reported the incident to CERT-In, the country’s cyber emergency response team, but is yet to hear back from them on the matter. News18 has independently reached out to the CERT-In incident response team on the matter as well, and will update the report subject to a response from the body.
While such data dumps surfacing on the internet are regular affairs, many such incidents typically point to a badly configured cloud storage data bucket that has been exposed to public access. This data, on the other hand, appears to be a collated list that may have been gathered from various sources, and may hence have been the work of a willful hacker who would have collected the data through the years and sold it to an online forum.