More than 320,000 financial records have been leaked, and while the information appears to have been stolen either from payment processor BlueSnap or its customer Regpack, neither of them admit suffering a data breach.
BlueSnap is a payment payment which allows websites to take payments from customers by offering merchant facilities, whereas RegPack is a global online enrollment platform that uses BlueSnap to process the financial transactions for its online enrollments.
Australian security expert Troy Hunt, the owner of the Have I Been Pwned breach notification service, has analyzed the data and, after reaching out to some of the impacted individuals, he determined that the leaked records are most likely genuine. The compromised information includes names, physical addresses, email addresses, IP addresses, phone numbers, invoices containing purchase details, the last four digits of credit card numbers, and even CVV codes.
As Hunt has highlighted, despite the fact that full card data has not been leaked, the compromised information is still highly valuable for cybercriminals, particularly the CVVs, which can be used to conduct card-not-present transactions, and the last four digits of credit cards, which is considered identity verification data and which can be very useful for social engineering attacks.
Although the payment data does not contain full credit card numbers, as Hunt stressed, cyber criminals can still misuse the compromised information, particularly the CVV codes that are highly valuable payment data, which can be used to conduct “card not present” transactions.
Also, the last four digit of any user’s credit card number can also be used for identity verification that’s very useful in conducting social engineering attacks.
Hunt contacted BlueSnap as well as Regpack, but they both denied suffering a data breach. He has also loaded as many as 105,000 email addresses into Have I Been Pwned, so you can search for your address on the site to check whether you are impacted by the breach.