Hacker claims mass bank breach; releases Visa, Mastercard data
Summary: More than 79 banks have been breached, claimed a hacker on Twitter. Following a data release on Tuesday, he said he has more than 50 gigabytes of U.S. and foreign bank data in his hands.
Update: see below.
A hacker, who claimed on Twitter to have illegally accessed the networks of dozens of large banks, has released a vast cache of personal information relating to Visa and Mastercard credit card data.
More than 1,700 separate account details were included in the cache.
From the data included in the data dump: customer names, the debit or credit card type --- Visa or Mastercard --- along with postal addresses, phone numbers, and email addresses are all included.
"Grey-hat" hacker Reckz0r --- who oddly enough also goes by the name "Jeremy" --- said on Twitter that he had targeted 79 banks for around three months.
The data breach does not appear limited to the United States. Foreign banks and account details are noted, including from the United Kingdom and Canada.
The data released on Tuesday was compressed in a plain-text document and uploaded to the Web.
The hacker said he took more than 50 gigabytes of data, and that this release is only a fraction of the total amount.
Credit card details do not appear in this release, though a Pastebin post explains that he is "censoring the credit card information" --- including the "credit card number, secret code [and] expiry date."
The targeted banks have not all been named, with the exception of Chase, which was singled out in a separate tweet. The hacker indicated other high profile banks were included.
He also noted on Twitter that Visa and Mastercard were "not hacked," despite a contrary claim in the PasteBin post that says he did.
It is not yet clear whether this relates to a breach earlier this year, following both Visa and Mastercard warning banks that a credit card processor had suffered an intrusion.
Global Payments came forward as the processor at the center of the breach. No more than 1.5 million accounts were affected, the company said last week.
But it is not yet clear whether this relates to the Global Payments breach earlier this year or not.
In a text document file included with the downloadable file, he said: "I don't give a s**t if you're included, it's all about security, folks."
Sister site CNET understands the hacker 'retired' to become a white-hat hacker and would "use my intelligence for good." He said he had left the infamous hacking group UGNazi, along with hacking collective Anonymous in a separate Pastebin post.
Questions have been left with Visa and Mastercard in regards to this story. No spokespeople were available from either company at the time of writing.
Update: More details, including tweets and commentary, suggest the data cache may have been available online for more than a week ago on a hackers website.
A source close to the payments industry told ZDNet that companies such as Visa and Mastercard "do not hold on to personally identifiable information" of its customers, such as the data included in this cache.
Other sources involved in the security industry --- including one claiming to speak for Anonymous --- believe this apparent data dump to be "old data." On the other hand, questions remain over where the data first came from --- even if it was first dumped on the Web a week or more ago.
Image credit: Twitter.
Related:
- Global Payments: Data breach is contained
- Global Payments still unsure about compromised cardholder data
- Visa, MasterCard confirm credit card security breach
- Up to 1.5 million Visa, MasterCard credit card numbers stolen
Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.
Talkback
Grey-hat?
Hey, guess what? It's not either/or. You can do both.
Shell Game
Govt way too busy
Hey rhonin, what's
Sorry, just couldn't resist..
Have a Great Day!!
TW
Very Good comment...
Maybe we can get RIAA to do the investigation
RIAA
Wrong
Execution?
Really? Executed? Let's hope you're being facetious or metaphorical or otherwise exaggerating. The death penalty is not warranted. In addition to paying all damages to every victim, I'd rather see his personal info -- ALL of it -- permanantly posted somewhere for all to see and use as they see fit. And the same for anyone who helped.
Killers?
So there are at least 10 of you who would actually want the perpetrator exectuted? What if the he was your son or friend? You would actually kill someone for theft? Seriously? Hmm . . . .
Hey dont say he should be hunted down....... They say he's a cousin of
white-hat wannabe
Usually these hackers go for publicity to help them get a career in white-hat security.
Kudos
Ends justifies the means, eh?
So mabye he shoud release the info
If
Kill the right scum...
Kill the criminals that sell your info to identity thieves.
Kill the identity thieves that use your info to rack up hundreds of thousands of dollars in dept and leave you on the hook for it.
Don't kill the guy trying to warn you about it. That is just stupid! (Even if he is doing it in a d-bag kind of way...)
Who else already hacked in and sold your indentity and CC#s to the mafia?
I'm not calling this guy an angel, but ask yourself: Is someone else hacking in as well and selling that info to thieves? Almost certainly!
These banks are not going to secure our info until they are forced to. You would think that after all the hacks and breaches the last two years, that the banking industry would be secure by now, but they obviously are not.
How much money does it cost to put in well-reasoned security methods?
So if the industry is being half-baked there, just what else have they been cheap on so the balance sheet could appear that much better?
What happened to social responsibility in the process? Or should these companies be given a free ride regardless of what they do, at our expense?