In what is being called the biggest cyberattack in the country’s history, data from nearly 17,000 Pakistani bank customers was recently compromised and put up for sale on the dark web. The massive breach affected cards from 22 of the country’s banks, according to PakCERT, Pakistan’s Computer Emergency Response Team.
PakCERT released a statement detailing the attack, stating: “On 26th October 2018, a data dump was posted on the dark web with over 9,000 debit cards, most of which belonged to customers of Pakistani banks. Just when everyone thought the storm is over, on 31st October 2018, a second dump of over 12 thousand cards was posted on Darknet, comprising of 11,000 cards from Pakistani banks.”
The first bank alerted about the data breach was Bank Islami, whose customers reported receiving text messages confirming money withdrawals that they hadn’t approved. Once Bank Islami was made aware of the situation, all of their branches were instructed to watch for suspicious transactions.
While Bank Islami received the most public exposure as a result of the breach, retired Federal Investigation Agency (FIA) cybersecurity captain Mohammad Shoaib explained, “Data of almost all Pakistani banks has been hacked. According to the reports gathered by FIA, most of the banks have been affected.”
Once posted on the dark web, stolen bank card information sells for between $100 and $160 per card. The stolen information is purchased by criminals hoping to use it to make purchases or apply for new credit cards. Customer details like a full name, an address and phone or card numbers can be used to purchase almost anything online, and skimmed debit card numbers can be used to create duplicate cards that can withdraw money from anywhere in the world. In response to this incident, Pakistani banks are continuing to monitor customer accounts, and many banks have temporarily stopped approving international credit and debit transactions.
While this latest bank breach is Pakistan’s largest, cybercrimes of this type are becoming increasingly frequent worldwide. In what is perhaps the most widely known consumer data breach, the personal information of 3 million Yahoo users was compromised in 2013. In 2017, Target was forced to pay $18.5 million in settlement payouts for a 2013 cyberattack and data breach affecting more than 41 million customers. Also in 2017, hackers gained access to data stored by the credit reporting bureau Equifax, potentially compromising the personal information of 143 million consumers.
As digital financial transactions become more frequent, it will be up to cybersecurity specialists to anticipate and identify new threats and design solutions that keep consumer data safe.