Share this article on:
A post on a Russian hacking forum promises a “full dump”, including credit card details, but the actual data may be far more limited.
A hacker on a popular Russian language hacking forum has claimed to have access to a “full dump” of an Australian financial technology start-up, but the company has said the hacker’s claims are effectively impossible.
The hacker, known on the XSS forum as uawrongteam, posted on 24 January that they had access to transactions and credit details belonging to Cape, a company specialising in corporate cards and accounting tools.
“Free full dump from getcape.io,” the post promised, before including some copy-and-pasted information about Cape.
“Db contains info by Customers, Credit Cards (PAN, Exp. Date), transactions and more!”
A PAN is a primary account number – the 14 to 19 digits that make up a credit card number. Combined with expiry dates, the leak – as described by the hacker – sounds disastrous.
Cape, however, has said that despite a brief incursion on its networks late last year, such a breach is impossible.
“The claim of our entire database being breached is incorrect,” a company spokesperson told Cyber Daily via email. “We became aware of a brief database compromise due to an unforeseen hole in our security protocols shortly after it happened in December, and it was swiftly closed.”
The real kicker, however, is that Cape does not have access to the primary account numbers of the cards it uses.
“Cape does not and has never received or possessed PAN numbers from our card processor, so this cannot have been accessed,” the spokesperson said. “Hence we can 100 per cent confirm that no card details, no PIN codes, no passwords and no government identity documents were ever compromised. Due to the way we structure the transaction data, it is non-identifiable/anonymised to any customer. We acknowledge there is a data field from our database named PAN, but the information populated in those fields is 100 per cent dummy data.”
This could explain why a hacker in possession of actual credit card numbers would offer up such a database for free – they know the data is effectively useless. Hackers, especially Russian ones, are not known for their generosity.
As to Cape’s customers, those impacted have been informed and have been using their cards as usual, and Cape has completed a full review of its systems.
“We have since completed a comprehensive review and audit of our access protocols and ID verification methods, leading to the implementation of stricter authentication of the usage of external sites, and further cyber security training for all of our six-person start-up,” a Cape spokesperson told Cyber Daily.
“As per our regulatory duties, we’ve informed the relevant authority.”
David Hollingworth has been writing about technology for over 20 years, and has worked for a range of print and online titles in his career. He is enjoying getting to grips with cyber security, especially when it lets him talk about Lego.