A distressing situation, in which a hacker took 50 gigabytes' worth of data from a combined total of 79 banks, was somewhat mitigated by responses from the industry and other hackers, but the questions that remained unanswered following yesterday's report were no less unsettling for the mitigation.
The hacker in question – a so-called "grey-hat" by the name of Reckz0r, or Jeremy – took to Twitter, claiming that he had not only accessed the records of a wide array of banks illegally, but released a substantial amount of that information relating to MasterCard and Visa.
The details for 1,700 different accounts, including customer names, the type of card used, mailing addresses, phone numbers and e-mail addresses were also released. They were geographically vast, spanning North America and the U.K. The whole affair was released as a plain-text document uploaded to the Web.
The hack, according to Reckz0r, was performed over the course of three months.
The text document itself, meanwhile, represented only a small fraction of the total, and that Reckz0r had taken special care not to reveal credit card numbers, expiration dates or the secret codes attached to same. Reckz0r's hack seemed to primarily target large banks, highlighting Chase in Twitter posts.
Reckz0r's Tweets indicated that Visa and MasterCard specifically had not been hacked, though he later reportedly claimed in a Pastebin post that that was indeed the case. No one is certain yet if this breach is related to the Global Payments breach that happened earlier this year.
Reckz0r's history, meanwhile, makes the point even more confusing, having reportedly been part of the hacking group UGNazi, as well as widely-known hacking collective Anonymous. While some reports suggest the data cache in question may have available at least a week previously from a hackers website, sources from the security industry suggest Reckz0r's haul was in fact "old data," and one of the sources in question was currently tied to the group Anonymous.
Payments industry sources also mentioned in a report that Visa and MasterCard don't actually "hold on to personally identifiable information," such as that said to be contained in the cache.
Some suggest that, as in this case, it's a common move for grey-hat hackers to go for publicity in a bid to get a white-hat security job. Since Reckz0r didn't actually release any data exposing particular accounts, this move makes sense. Reckz0r's actions would have yielded an increase in electronic or paper junk mail at the worst.
The implications, however, are a bit disturbing. Reckz0r had had some data for three months before anyone even noticed a breach. What if he'd kept quiet, pausing only to take a dollar from each account once a month?
With disturbing implications and a muddled overall picture, it's hard to say just what the outcome of this particular hack will be. We'd all like to think our money is safe in the bank, but when news like this emerges, it's easy to wonder if that's really the case.
Edited by
Braden Becker
