Recently, a significant data breach has come to light, affecting approximately 324,000 users whose payment information has been compromised due to vulnerabilities associated with the payment processor BlueSnap and its client, Regpack. Despite the scale of this incident, neither of the companies involved has publicly acknowledged any breach.
BlueSnap functions as a payment facilitator that enables businesses to accept online payments, while Regpack operates as an online enrollment platform, utilizing BlueSnap’s services to handle financial transactions. Reports suggest that the breach first surfaced on July 10, when a hacker disclosed a link on Twitter directing to a file claimed to contain around 324,000 records believed to be hacked from BlueSnap, based in Waltham, Massachusetts.
Although the original tweet has been removed, cybersecurity expert Troy Hunt preserved it for analysis. Upon examining the data, he offered strong indications that the leaked payment records are indeed authentic, posing serious implications for the individuals involved. The compromised data set comprises sensitive user information, including names, email addresses, physical addresses, phone numbers, IP addresses, the final four digits of credit card numbers, CVV codes, and purchase invoice data, all of which were registered between March 10, 2014, and May 20, 2016.
Hunt’s investigation unearthed evidence suggesting that file names associated with the breach included terms such as ‘BlueSnap’ and ‘Plimus’, the latter being BlueSnap’s previous name prior to its acquisition in 2011 for $115 million. While Regpack has been integrated with BlueSnap’s platform since 2013, it cannot be ruled out as a potential source of this stolen data. Hunt emphasized the intricate relationship between Regpack’s clients and BlueSnap’s payment processing service, underlining that accountability may rest with either entity.
Currently, the primary concern revolves around the fallout of the breach, particularly the fact that over 320,000 users’ financial data is circulating within the dark web. Although full credit card numbers were not disclosed, Hunt cautioned that the compromised CVV codes could facilitate unauthorized “card not present” transactions. Additionally, the last four digits of users’ credit card numbers might be leveraged for identity verification, reminiscent of social engineering tactics.
Despite attempts to contact both BlueSnap and Regpack, both firms have steadfastly denied experiencing any data breach. For those potentially affected, Hunt has uploaded a substantial database of 105,000 email addresses to “Have I Been Pwned”, providing a resource for individuals to verify their exposure to this incident.
The implications of this breach raise vital questions about the security posture of payment processors and their clients. The tactics potentially employed in the attack could align with various categories within the MITRE ATT&CK framework. Initial access to the data could have been gained through exploitation of vulnerabilities, followed by persistence in the network to facilitate data exfiltration. These elements underscore the need for comprehensive cybersecurity measures and ongoing vigilance in data protection strategies.
As the investigation continues, the focus now shifts to understanding the root causes of the breach, bolstering defensive mechanisms, and enhancing public awareness about the potential risks associated with shared payment processing systems.
