More than 320,000 financial records have been leaked, and while the information appears to have been stolen either from payment processor BlueSnap or its customer Regpack, neither of them admit suffering a data breach.
On June 10, a hacker published on Twitter a link pointing to a file containing roughly 324,000 records allegedly stolen from BlueSnap, a Waltham, Massachusetts-based ecommerce solutions provider that specializes in global payment processing. The company’s customers include design and entertainment software company Autodesk and cloud-based security services provider Incapsula.
Australian security expert Troy Hunt, the owner of the Have I Been Pwned breach notification service, has analyzed the data and, after reaching out to some of the impacted individuals, he determined that the leaked records are most likely genuine. The compromised information includes names, physical addresses, email addresses, IP addresses, phone numbers, invoices containing purchase details, the last four digits of credit card numbers, and even CVV codes.
As Hunt has highlighted, despite the fact that full card data has not been leaked, the compromised information is still highly valuable for cybercriminals, particularly the CVVs, which can be used to conduct card-not-present transactions, and the last four digits of credit cards, which is considered identity verification data and which can be very useful for social engineering attacks.
Some evidence suggests that the data comes from BlueSnap. For example, the hacker who published the link to the data dump said it came from the company. Another clue is related to the fact that many of the organizations mentioned in the leaked invoices are Jewish – BlueSnap started off as Israel-based Plimus, which allowed Israeli merchants to sell goods globally.
On the other hand, the data may come from Regpack, a company that provides online event registration solutions. Regpack has been using BlueSnap’s payment platform since April 2013.
The leaked data could come from Regpack as all the affected users contacted by Hunt had been issued invoices referencing the company. Furthermore, organizations using BlueSnap services don’t have to be PCI compliant, which, in theory, means that Regpack might have not done a very good job at protecting payment information.
“Now it’s possible that the data has come from another unnamed party, but it’s highly unlikely. Not only could I not pick a pattern in the data suggesting it was sourced from elsewhere, but the CVVs just shouldn’t have been there,” Hunt explained in a blog post. “We’ve got 899 totally separate consumers of the Regpack service (so it’s not from one of them) who send their data direct to Regpack who pass payment data onto BlueSnap for processing. Unless I’m missing a fundamental piece of the workflow (and I’m certainly open to suggestions on what this might be), it looks like accountability almost certainly lies with one of these two parties.”
Hunt has reached out to both BlueSnap and Regpack, but they both denied suffering a data breach. BlueSnap said it had launched an investigation after learning of the leaked data, but found no evidence of a system breach or any data loss. Regpack said it had conducted a full forensic investigation and “conclusively determined” that its servers were not involved.
BlueSnap has provided the following statement to SecurityWeek:
“We are aware of the claims in social media and have seen the data set. We take data security very seriously.
Based on an investigation we initiated as soon as we heard about the data set, we hired a top PCI-certified Incident Response firm. Based on that investigation they confirmed that BlueSnap did not experience a system breach or any data loss.
We will continue to vigilantly monitor all our systems to prevent data loss. We also take the security and confidentiality of the relationship with our merchants very seriously and work 1-on-1 with all of our merchants to help ensure the security of their data. We spend extensively on security and employ foremost experts in our Israel and Boston engineering facilities.”
*Updated with statement from BlueSnap
Related Reading:MICROS Hackers Targeted Five Other PoS Vendors