A crypto-industry employee’s laptop used for non-work purposes is reportedly at the heart of a data breach involving some 93,000 unique users. Transak, an “onramp” used by several popular blockchain companies to allow customers to buy cryptocurrencies, revealed on Monday that it had fallen victim to a data breach. Transak said the leaked data was limited to “names” and “basic identity information.” Transak CEO Sami Start stated that 93,000 people were impacted by the breach, which included passports, ID cards, and selfies used by customers to verify their identities with crypto financial products.
Start categorizes the incident as “mild or moderate” since it does not involve sensitive information that might bring more significant risk. Only 1.14% of the user base was affected. No bank statements, social security numbers, credit card information, or emails or passwords were accessed, which limits the severity of this incident significantly,” Start said.
The CEO said Transak was reaching out to customers and notified law enforcement and data regulators. However, the company is also being asked to negotiate with a ransomware group that claimed responsibility for the attack, which has already ridiculed a purported $30,000 offer to delete the stolen data. “This breach has impacted all KYC [know your customer] data processed through Transak’s infrastructure,” the ransomware group claimed in a public Telegram group.
We have extracted more than 300GB of data, which includes sensitive personal documents such as government-issued IDs, proof of address, financial statements, and user selfies.
The ransomware group claims it has only released a subset of the stolen data and threatened to “leak the remaining data or sell it to the highest bidder” if Transak fails to pay a ransom. Transak provides developers with tools to bridge users from fiat to crypto, such as by allowing them to purchase cryptocurrencies via credit card.
Data breach from KYC vulnerability
According to its website, Transak has been integrated into major blockchain wallets like Metamask and Trust Wallet. Crypto exchanges like Coinbase also use Transak’s services. Transak is not interested in negotiating with the ransomware group.
“We don’t know if they necessarily did this or are just claiming credit for it,” said Start. “They’ve released this evidence where they’ve shown some screenshots from our KYC vendor, but it’s possible that someone else posted that somewhere else, and they’ve just taken credit for it.”
Start said the data breach occurred because an employee “used their laptop for things other than work.”
“They’ve been exited from the company,” said the Transak CEO. They did some non-work related activities on their laptop that caused them to run a script-–a malicious script-–that gave access to their system.
The access enabled hackers to access one of Transak’s third-party user authentication or KYC services.
This particular vendor’s system had a “vulnerability,” which enabled the attacker to download a subset of Transak’s user data via the compromised device. Start insisted that the data breach was limited exclusively to this KYC service. “Any rumors about accessing any other systems are not true,” Start said.
The attackers “may have gotten some screenshots in the employee’s download folder – maybe one or two screenshots of some other system – but they only accessed this one vendor and the users I mentioned. I challenge anyone to show otherwise.”