Data Breaches of the Week: Tales of PoS Malware, Latrine Status

The data-breach onslaught continued this week with casualties sprinkled across the globe. Victims included retailers, banks and one state-owned gas station. The theme this was the Indian subcontinent, with consumers in Pakistan and India feeling the main brunt of the proceedings.

A point-of-sale malware incident right here in the U.S. leads off this week’s weekly round-up.

U.S. Restaurant-Goers Bitten by PoS Malware

A company that provides point-of-sale (PoS) systems and services for restaurant locations said that malware was able to scrape payment-card data from diners for about three weeks in January.

North Country Business Products (NCBP) said that consumers who used credit and debit cards at its business partner restaurants between January 3 and January 24 are potentially affected.

It didn’t venture to put a number on how many consumers could be affected, but it’s worth noting that NCBP’s reach is long, with partner restaurants running the gamut from Collins’ Irish Pub in Flagstaff, Ariz. To Vinyl Taco in Grand Forks, N.D. The full list of affected locations is available in its website notice.

As is typical with PoS malware, the specific information potentially accessed includes the cardholder’s name, card number, expiration date and CVV – everything an enterprising cybercriminal needs to clone a card, or many cards. The company didn’t offer details as to how the malware was able to make its way onto its systems.

Joker’s Stash Underground Credit Card Dumps

Meanwhile, three sizable dumps of credit-card information were found to have shown up on the Joker’s Stash Dark Web forum. Group-IB told ZDNet that two contain the collective card details of 69,189 Pakistani bank customers, mostly from Meezan Bank Ltd. – and, crucially, include the PIN numbers for the cards.

“Pakistani banks’ cards are rarely sold on underground cardshops. This, and the fact that all the cards came on sale with PIN codes explains the high price, which was kept at 50 USD per card, while usually the price per card on Dark Web forums ranges from 10 to 40 USD,” Group-IB said.

That values the two caches at $3.5 million.

Also this week, a Joker’s Stash ad appeared for the “DaVinci Breach,” a dump containing the card details for over 2.15 million U.S. bank customers from 40 states – for now, it’s unclear where the data came from.

Another Day, Another Misconfigured DB

Also this week, security researcher Bob Diachenko found yet another example of a misconfigured database that was left open to the internet where anyone could see it. This one was a MongoDB with no password that contained 4.1GB of highly sensitive information on a half-million (458,388) individuals in India, collected by the Government of National Capital Territory of Delhi.

The content, which seemed related to a company named Transerve, included “a pretty detailed portrait of a person,” Diachenko said, including names, voter card numbers, health conditions, education levels, addresses including house numbers and floor levels, and miscellany like “‘type of latrine’, ‘functional water meter’, ‘ration card number’, ‘internet facility available’ and even ‘informant name,'” Diachenko said.

After Diachenko contacted CERT India, database was secured and taken offline.

Elsewhere in India…

Meanwhile, India’s state-owned gas company Indane, which has about 90 million customers, was found to have improperly secure the website that it uses to interact with its dealers and distributors, exposing millions of Aadhaar numbers.

Aadhaar numbers are similar to Social Security numbers in the U.S. – they’re a government identity mechanism.

Somehow, part of Indane’s site was indexed in Google, allowing access to the dealer database – even though the site is supposed to be password-protected. After being tipped off on Twitter, researcher Baptiste Robert wrote a Python script to crawl the database, and he estimates the total number of those affected to surpass 6.7 million.

“By running this script, it gives us 11,062 valid dealer IDs,” he wrote in a blog post. “After more than one day, my script tested 9,490 dealers and found that a total of 5,826,116 Indane customers are affected by this leak. Unfortunately, Indane probably blocked my IP, so I didn’t test the remaining 1572 dealers. By doing some basic math we can estimate the final number of affected customers around 6,791,200.”

Neither Indane nor Aadhaar’s regulator, the Unique Identification Authority of India (UIDAI), has responded to the news.

Interested in learning more about mobile enterprise security threats and best practices? Don’t miss our freeThreatpost webinar** on Feb. 27 at 2 p.m. ET. Join Threatpost senior editor Tara Seals and a panel of mobile security experts, including Patrick Hevesi of Gartner;**Mike Burr of Google Android; and David Richardson from Lookout. They’ll discuss the top evolving threats and risks that are unique to this work-from-anywhere environment; best practices for addressing them; and new challenges on the horizon, such as 5G services.