Personal Data of 7 Million Indian Credit, Debit Cardholders Leaked Through Dark Web

Sensitive data related to around seven million credit and debit cardholders has surfaced online through dark Web, according to a security researcher. The data included not only the names of affected Indian cardholders but also their mobile numbers, income levels, email addresses, and Permanent Account Number (PAN) details. It is available for download through a Google Drive link. The link is open for public access and is said to be in circulation on the dark Web for some days now.

Cybersecurity researcher Rajshekhar Rajaharia discovered the Google Drive link from the dark Web earlier this month. It was in circulation with the title “Credit Card Holders data” by some anonymous people, Rajaharia said.

The link, that was shared with Gadgets 360, included 59 Excel files that contained the data including the full names, mobile numbers, cities, income levels, and email addresses of cardholders. It also included PAN card numbers, employer details, and type of bank account linked with the employers of the affected credit and debit card users. However, the leaked data doesn't include the bank account and card numbers of the victims.

Rajaharia told Gadgets 360 that he was able to verify some names listed in the Excel files by finding them on LinkedIn or searching the surfaced mobile numbers on caller ID app Truecaller. He even found his name there while verifying the details.

Although the data doesn't contain any clear references to the banks whose cardholders' details have been leaked, it includes the first swipe amount for most of the cardholders. There are also details to show whether the affected cardholders enabled mobile alerts on their phones.

“The data may belong to some third party that provides service or leads to banks,” Rajaharia said, who initially reported the leak to Inc42.

The exact period from which the data has been leaked is unclear. However, it is likely to include details from mostly between 2010 and early 2019. In some cases, though, the data exposed cardholders' information dating back to 2004.

“The data is related to financial products, and since most of the people exposed are professionals, it's quite expensive,” noted Rajaharia.

Gadgets 360 has reached out to CERT-In for clarity on the leak and will update this space when the agency responds.

Experts believe that being a financial data leak, the information available through the dark Web could be used by attackers for phishing and malware attacks. Karmesh Gupta, CEO of cybersecurity firm WiJungle, told Gadgets 360 that the data surfaced might also used to initiate fraud calls.

"One of the fortunate thing is that leaked data is of employees of multinationals & large corporates and since major of them are cyber-aware so they are less likely to be the victim," said Gupta. "On the other hand, the bad part is since it is difficult to identify whom this data belongs to so it will be difficult to aware the compromised users about such a leak formally until someone comes forward and do it selflessly for the betterment of society."

This is not the first time when sensitive information of a large number of individuals in India has been exposed online. In October, the personal website data of Prime Minister Narendra Modi surfaced on the dark Web. The data leak reportedly included names, email addresses, and mobile numbers of lakhs of individuals. Last year, debit and credit card data of over 1.3 million Indian banking customers was also put on sale on the dark Web by cybercriminals.

Should the government explain why Chinese apps were banned? We discussed this on Orbital, our weekly technology podcast, which you can subscribe to via Apple Podcasts, Google Podcasts, or RSS, download the episode, or just hit the play button below.