Anonymous Ukraine pasted the first batch of card information on Pastebin on Tuesday and initial analysis from researchers at Risk Based Security revealed that this comprised 955,579 cards in total.
The group – which reportedly hacked NATO in November - has archives containing Visa, MasterCard, American Express and Discover customer data, with this appearing to include valid credit card numbers, banking routing numbers and full user names.
“Today we publish the first part of our exposure of the international financial system Visa, MC, Discover & Amex, enslaved people around the world. More than 800 million credit cards. Over a trillion dollars (£600 million),” said Anonymous Ukraine on Pastebin. The message heavily criticised the US government, adding that the hactivisim group had “destroyed” the country's economy and banking system.
The group followed up by announcing the leak of more than six million more cards on Twitter. Risk Based Security has analysed the data dump and revealed there to be 6,064,823 new cards, with this figure breaking down as 668,279 American Express, 3,255,663 Visa, 1,778,749 MasterCard and 362,132 Discover.
That, when combined with the initial million, makes a grand total of 7,020,402 and the majority are said to have come from the United States, according to researchers. They add that 4,000 of these details include social security numbers, credit card numbers, card expiry data, full names, PIN, floats, dates of birth, states and zip codes.
Anonymous Ukraine could not be reached for comment, but Risk Based Security researcher Inga Goddijn told SCMagazineUK.com that its investigation continues.
“The investigation is on-going as our researchers continue to analyse the data contained in the dump. Early indications show a substantial number of Visa and MasterCard accounts could potentially be at risk,” she said via email.
“We will continue to update the post on DataLossDB as more information is discovered about this incident.”
There's no way of telling where the data has come from although, given the nature of the data loss, it seems like an ATM or POS system is to blame.
A point-of-sale vulnerability was the primary reason behind the Target data breach late last year, which eventually encompassed 110 million records, including 40 million credit cards. The attack saw memory-scrapping malware installed on the firm's point-of-sale devices and, as security researcher Brian Krebs documented in December, a number of these details ended up on the black market.
Writing on his blog, Krebs detailed that some of these credit cards details were dumped on popular underground stores like rescator.la – which Ukrainian Andrew Hodirevski allegedly used to sell the credit card data for up to US $100 (£60) on cheapdumps.org, cpro.su and vor.cc.
Speaking shortly after this news was discovered, Martin McKeay – security advocate at Akamai Technologies – said that it is still not overly clear if Anonymous Ukraine is behind the attack, as well as its intentions of posting the data. He added that some of this data could even be duplicated from other recent data breaches where customer data has found its way onto the black market - something Goddijn said was "too early in our research" to speculate on.
“How did they get the data? I've no idea but there are a number of ways. The first place I would look is to see if the records are duplicates” McKeay told SCMagazineUK.com.
“Seven million [data records] is quite small compared to the standards we're looking at right now,” he added, citing Target's attack and the reported California DMV breach.
“It's very possible that someone got hold of this data on a forum or database, and is claiming it to be from Anonymous Ukraine. Look at Sony's breach – it turned out that they sat on the data from months and then claimed it to be political.”
Neira Jones, independent advisor and former board of advisor member for PCI - as well as former head of payment security at Barclaycard, suggested that the find is likely to be the result of a “set of breaches” but, as many of compromised banks have re-issued vulnerable cards, believes that the data may be of limited value.
“One thing to note here is that quite a few US banks have already re-issued 17.2 million of the cards that were potentially at risk,” she told SCMagazineUK.com. “So the cards in the dump may not be all that useful depending on further analysis of which are still valid. What is more worrying is that the data set includes social security number, name, dates of birth, states, and zip codes, so the risk of ID theft further down the line is very real.”