Hacker claims mass bank breach; releases Visa, Mastercard data

Hacker claims mass bank breach; releases Visa, Mastercard data

Summary: More than 79 banks have been breached, claimed a hacker on Twitter. Following a data release on Tuesday, he said he has more than 50 gigabytes of U.S. and foreign bank data in his hands.

SHARE:
TOPICS: Security, Banking
69

Update: see below.

A hacker, who claimed on Twitter to have illegally accessed the networks of dozens of large banks, has released a vast cache of personal information relating to Visa and Mastercard credit card data.

More than 1,700 separate account details were included in the cache.

From the data included in the data dump: customer names, the debit or credit card type --- Visa or Mastercard --- along with postal addresses, phone numbers, and email addresses are all included.

"Grey-hat" hacker Reckz0r --- who oddly enough also goes by the name "Jeremy" --- said on Twitter that he had targeted 79 banks for around three months.

The data breach does not appear limited to the United States. Foreign banks and account details are noted, including from the United Kingdom and Canada.

The data released on Tuesday was compressed in a plain-text document and uploaded to the Web.

The hacker said he took more than 50 gigabytes of data, and that this release is only a fraction of the total amount.

Credit card details do not appear in this release, though a Pastebin post explains that he is "censoring the credit card information" --- including the "credit card number, secret code [and] expiry date."

The targeted banks have not all been named, with the exception of Chase, which was singled out in a separate tweet. The hacker indicated other high profile banks were included.

He also noted on Twitter that Visa and Mastercard were "not hacked," despite a contrary claim in the PasteBin post that says he did.

It is not yet clear whether this relates to a breach earlier this year, following both Visa and Mastercard warning banks that a credit card processor had suffered an intrusion.

Global Payments came forward as the processor at the center of the breach. No more than 1.5 million accounts were affected, the company said last week.

But it is not yet clear whether this relates to the Global Payments breach earlier this year or not.

In a text document file included with the downloadable file, he said: "I don't give a s**t if you're included, it's all about security, folks."

Sister site CNET understands the hacker 'retired' to become a white-hat hacker and would "use my intelligence for good." He said he had left the infamous hacking group UGNazi, along with hacking collective Anonymous in a separate Pastebin post.

Questions have been left with Visa and Mastercard in regards to this story. No spokespeople were available from either company at the time of writing.

Update: More details, including tweets and commentary, suggest the data cache may have been available online for more than a week ago on a hackers website.

A source close to the payments industry told ZDNet that companies such as Visa and Mastercard "do not hold on to personally identifiable information" of its customers, such as the data included in this cache.

Other sources involved in the security industry --- including one claiming to speak for Anonymous --- believe this apparent data dump to be "old data." On the other hand, questions remain over where the data first came from --- even if it was first dumped on the Web a week or more ago.

Image credit: Twitter.

Related:

Topics: Security, Banking

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

69 comments
Log in or register to join the discussion
  • Grey-hat?

    This guy should be hunted down and executed. Of course we know the police authorities are too busy with people sharing mp3s to be bothered.
    Bill4
    • Hey, guess what? It's not either/or. You can do both.

      NT
      baggins_z
      • Shell Game

        It's a scam against taxpayers. Typically, someone can use the data and steal our credit and go off and buy stuff, so Corporations make profit. While these cards are usually protected under FDIC and the "Losses" are footed by the taxpayer. Again, Privatizing profits, and socializing losses. It's what companies do best.
        trust2112@...
    • Govt way too busy

      Asking for Google to censor specific items and trying to figure out how to get Dot Coms data to the NZ courts... :O
      rhonin
      • Hey rhonin, what's

        Non-Zealot got to do with this?....LOL..
        Sorry, just couldn't resist..

        Have a Great Day!!
        TW
        T-Wrench
    • Very Good comment...

      Rich RIAA executives can find small time file sharing pirates while federal authorities allow thousands of millions of dollars worth of credit exploited on the net. Priorities are in all the wrong places!!
      partman1969@...
      • Maybe we can get RIAA to do the investigation

        since the CIA and FBI can't seem to do the job.
        library assistant
      • RIAA

        Hollywood and the entertainment industry provide the campaign funds which get high-ranking politicians elected. And they provide the lobbyists that draft the laws. Thats how priorities get set.
        Photog7
      • Wrong

        It's all about lobbying. The RIAA/MPAA has convinced congress that their content is worth far more than it actually is.
        DonRupertBitByte
    • Execution?

      @Bill4,

      Really? Executed? Let's hope you're being facetious or metaphorical or otherwise exaggerating. The death penalty is not warranted. In addition to paying all damages to every victim, I'd rather see his personal info -- ALL of it -- permanantly posted somewhere for all to see and use as they see fit. And the same for anyone who helped.
      moebiusloop
      • Killers?

        Wow, I've been dinged 10 times! Nice, I like that :-) Obviously touched a sore nerve for some of you.

        So there are at least 10 of you who would actually want the perpetrator exectuted? What if the he was your son or friend? You would actually kill someone for theft? Seriously? Hmm . . . .
        moebiusloop
    • Hey dont say he should be hunted down....... They say he's a cousin of

      Loverock Davidson who is a hackers - hacker from what everyone claims. :-)
      Over and Out
    • white-hat wannabe

      on one hand he'll claim he's doing it for "the security".. which i think we're all in favour of; better to have someone who's going to find these exploits before genuine criminals, and not use them for his own nefarious purposes. On the other hand he could be going about information disclosure in a more industry approved way.

      Usually these hackers go for publicity to help them get a career in white-hat security.
      jrbrewin
  • Kudos

    We must remember that he didnt release enough info for people to just start draining the account. Are we going to pout about security breaches places where we don't want them, or are we going to make our important institutions step their game up. There's now a danger that some 'hacker(s)' can make companies transparent. im concerned that it took around three months to get so many gigs of data. that number is insanity. if you took a dollar from each one... exactly
    dariquew@...
    • Ends justifies the means, eh?

      So when some vigilante decides YOU'RE the bad guy for whatever reason, will you sing the same tune?
      baggins_z
    • So mabye he shoud release the info

      Nothing should be kept secret. What harm could come from that? :)
      William Farrel
    • If

      we kill off the scum, there's nothing protect the innocent from.
      timspublic1@...
      • Kill the right scum...

        Kill the banking boards and officers that are not securing your info.

        Kill the criminals that sell your info to identity thieves.

        Kill the identity thieves that use your info to rack up hundreds of thousands of dollars in dept and leave you on the hook for it.

        Don't kill the guy trying to warn you about it. That is just stupid! (Even if he is doing it in a d-bag kind of way...)
        mlashinsky@...
    • Who else already hacked in and sold your indentity and CC#s to the mafia?

      If you are going to kill the messenger and ignore the message, then you deserve your accounts hacked. He is showing that the banking industry is not securing our accounts, and if he can hack it, others can too.

      I'm not calling this guy an angel, but ask yourself: Is someone else hacking in as well and selling that info to thieves? Almost certainly!

      These banks are not going to secure our info until they are forced to. You would think that after all the hacks and breaches the last two years, that the banking industry would be secure by now, but they obviously are not.
      mlashinsky@...
  • How much money does it cost to put in well-reasoned security methods?

    And, to this day, credit cards' magnetic strips STILL aren't encrypted and it's all too easy - via numerous methods and not all by handing over the card physically - to have one's info on the strip copied...

    So if the industry is being half-baked there, just what else have they been cheap on so the balance sheet could appear that much better?

    What happened to social responsibility in the process? Or should these companies be given a free ride regardless of what they do, at our expense?
    HypnoToad72