More than 320,000 financial records have been leaked, and while the information appears to have been stolen either from payment processor BlueSnap or its customer Regpack, neither of them admit suffering a data breach. (UPDATE: Regpack has confirmed that the leaked data comes from its systems)
On June 10, a hacker published on Twitter a link pointing to a file containing roughly 324,000 records allegedly stolen from BlueSnap, a Waltham, Massachusetts-based ecommerce solutions provider that specializes in global payment processing. The company’s customers include design and entertainment software company Autodesk and cloud-based security services provider Incapsula.
Australian security expert Troy Hunt, the owner of the Have I Been Pwned breach notification service, has analyzed the data and, after reaching out to some of the impacted individuals, he determined that the leaked records are most likely genuine. The compromised information includes names, physical addresses, email addresses, IP addresses, phone numbers, invoices containing purchase details, the last four digits of credit card numbers, and even CVV codes.
As Hunt has highlighted, despite the fact that full card data has not been leaked, the compromised information is still highly valuable for cybercriminals, particularly the CVVs, which can be used to conduct card-not-present transactions, and the last four digits of credit cards, which is considered identity verification data and which can be very useful for social engineering attacks.
Some evidence suggests that the data comes from BlueSnap. For example, the hacker who published the link to the data dump said it came from the company. Another clue is related to the fact that many of the organizations mentioned in the leaked invoices are Jewish – BlueSnap started off as Israel-based Plimus, which allowed Israeli merchants to sell goods globally.
On the other hand, the data may come from Regpack, a company that provides online event registration solutions. Regpack has been using BlueSnap’s payment platform since April 2013.
The leaked data could come from Regpack as all the affected users contacted by Hunt had been issued invoices referencing the company. Furthermore, organizations using BlueSnap services don’t have to be PCI compliant, which, in theory, means that Regpack might have not done a very good job at protecting payment information.
“Now it’s possible that the data has come from another unnamed party, but it’s highly unlikely. Not only could I not pick a pattern in the data suggesting it was sourced from elsewhere, but the CVVs just shouldn’t have been there,” Hunt explained in a blog post. “We’ve got 899 totally separate consumers of the Regpack service (so it’s not from one of them) who send their data direct to Regpack who pass payment data onto BlueSnap for processing. Unless I’m missing a fundamental piece of the workflow (and I’m certainly open to suggestions on what this might be), it looks like accountability almost certainly lies with one of these two parties.”
Hunt has reached out to both BlueSnap and Regpack, but they both denied suffering a data breach. BlueSnap said it had launched an investigation after learning of the leaked data, but found no evidence of a system breach or any data loss. Regpack said it had conducted a full forensic investigation and “conclusively determined” that its servers were not involved.
BlueSnap has provided the following statement to SecurityWeek:
“We are aware of the claims in social media and have seen the data set. We take data security very seriously.
Based on an investigation we initiated as soon as we heard about the data set, we hired a top PCI-certified Incident Response firm. Based on that investigation they confirmed that BlueSnap did not experience a system breach or any data loss.
We will continue to vigilantly monitor all our systems to prevent data loss. We also take the security and confidentiality of the relationship with our merchants very seriously and work 1-on-1 with all of our merchants to help ensure the security of their data. We spend extensively on security and employ foremost experts in our Israel and Boston engineering facilities.”
UPDATE. Regpack has confirmed that the leaked data comes from its systems and blamed the incident on human error. The company provided the following statement to Troy Hunt:
“Regpack has confirmed that all payments information passed to the payment processor is encrypted on its databases. Nonetheless, periodically, this information is decrypted and kept internally for analysis purposes. We identified that a human error caused those decrypted files to be exposed to a public facing server and this was the source of the data loss. This was identified by our teams going back and reviewing some of the log files as indicated in the blog discussion post. We have changed our approach to handling this data and are confident that this one-time mistake will not occur again.
To reiterate our security stance:
1. The source of the data loss was a procedural human error.
2. Neither Regpack nor BlueSnap had our systems breached. This has been confirmed by independent forensic experts retained by each company after the initial data loss. As a further security measure, RegPack has rebuilt all servers and run full security scans on the new servers.
3. Both Regpack and BlueSnap have conducted thorough reviews of the environments and found that all systems are secure.
4. Regpack and Bluesnap have updated all internal security procedures and processes to ensure that no data can leave internal environments. This will prevent the loss we saw in this case.
Regpack is notifying vendors whose customers were potentially affected so they can make the appropriate communications.”
*Updated with statement from BlueSnap and Regpack, and confirmation from Regpack that the data has been taken from its systems
Related Reading: MICROS Hackers Targeted Five Other PoS Vendors