Singapore, Malaysia credit card details dumped online in massive data breach

Hundreds of thousands of credit card details from at least six Southeast Asian countries – including Malaysia and Singapore – have been leaked online, according to India-based cybersecurity start-up Technisanct.

The company said this week it had found a series of data breaches involving credit card details issued by top banks in Singapore, Malaysia, the Philippines, Vietnam, Indonesia and Thailand.

“The results are alarming as it seems no one is aware that such a huge volume of payment card details – including the CVV and PIN – are available,” said CEO Nandakishore Harikumar, referring to the card verification value and personal identification number.

Anyone with access to those details could cause financial losses to the owner of the cards, he added.

Technisanct said its research found that credit card holders in the Philippine were the worst hit, with 172,828 cards breached, while Malaysia and Singapore had 37,145 and 25,290 cards breached respectively.

According to Nandakishore, in the past week his team had identified even more cards available for sale from these six countries. Although many systems required a one-time transaction password, there were portals that did not require this, he said.

Nandakishore said he had emailed the Computer Emergency Response Team (CERT) – which handles cybersecurity incidents – in each country and advised them to take action, although not all had responded.

In Malaysia, both Cybersecurity Malaysia and the central bank, which regulates financial institutions, declined to comment.

CIMB Group Holdings – allegedly one of the affected banks – said it had “no credible evidence that any actionable customer data has been compromised from us”.

“CIMB takes data privacy and protection seriously and has taken the necessary security measures to ensure all customers’ personal information remain secured. We continuously monitor all avenues to ensure that our customer data remains protected where possible,” a spokesperson said.

China’s cybersecurity has improved but risk of financial malware still high

This Week in Asia understands the CERTs of both Vietnam and Malaysia are investigating the matter.

Meanwhile, the Monetary Authority of Singapore said it was constantly monitoring cyber threats, including cyberattacks that may result in payment card fraud, as part of its surveillance.

“We note that security vendors have reported a rise in incidents of data theft internationally, including loss of card details from compromised e-commerce websites,” a spokesperson said, adding that it had strict requirements for financial institutions in Singapore to implement information technology controls to protect sensitive information from unauthorised disclosure.

“Card issuers have well established processes to handle credit cards whose details have been leaked. Card issuers have also put in place real time fraud monitoring to detect and block suspicious transactions promptly,” the MAS said.

Southeast Asian countries have been hit by growing cybercrime including high-profile data breaches.

Last year, subsidiaries of Indonesian low-cost airline Lion Air suffered a massive data breach, resulting in the information of millions of passengers – including passport details, home addresses and phone numbers – being leaked onto data exchange forums.

Malindo Air says massive data breach was caused by former staff at contractor in India

In 2018, the details of millions of mobile service subscribers in Malaysia were leaked online, while popular beauty products retailer Sephora revealed online accounts of residents of Hong Kong, Singapore and Malaysia were compromised by a data leak.

Singapore has been the target of several data leaks, including a widely-reported incident where the confidential information of over 14,000 people diagnosed with HIV was leaked online and another where personal data of 1.5 million patients of SingHealth’s specialist clinics – including Prime Minister Lee Hsien Loong – was compromised.