A data breach has affected over 92,000 users of Transak, a crypto on-ramp firm. According to an Oct. 21 blog post, the company identified that a malicious actor gained access to an employee’s laptop through a phishing attack, exposing “specific user information stored within the vendor’s dashboard.”
The attacker compromised the employee’s credentials and was able to log into the system of a third-party Know Your Customer (KYC) vendor used for document scanning and verification services.
Sensitive information such as names, dates of birth, passports, driver’s licenses, and selfies of 92,554 users, or 1.14% of the user base, was compromised. Transak provides a fiat-to-crypto gateway, enabling users to buy and sell digital assets using fiat money. It integrates directly with crypto wallets and decentralized applications (DApps) for transactions.
The company offers non-custodial on-ramps for major crypto wallets and exchanges, including Binance, MetaMask, and Coinbase. Fortunately, Transak reported that no financial information was breached during the attack. “After our thorough checks, we can confidently confirm that no financially sensitive information, including email addresses, phone numbers, passwords, credit card details, Social Security Numbers, or any other financial data, was compromised in any way,” the company stated.
Affected users are being contacted. “If we do not email you, then you have not been affected,” said Transak. Data protection authorities in the United Kingdom, as well as regulators across the European Union and the United States, have been notified.
According to Transak CEO Sami Start, the data breach occurred because an employee “used their laptop for things other than work.” “They’ve been exited from the company,” said Start.
Transak user data security breach
“They did some non-work related activities on their laptop that caused them to run a script – a malicious script – that gave access to their system.”
The access enabled hackers to gain entry to one of Transak’s third-party user authentication, or KYC, services.
According to Start, this particular vendor had a “vulnerability” in its system, which enabled the attacker to download a subset of Transak’s user data via the compromised device. Start insisted that the data breach was limited exclusively to this KYC service. “Any rumors about accessing any other systems are not true,” Start said.
The attackers “may have gotten some screenshots that were in the employee’s download folder – maybe one or two screenshots of some other system – but they only accessed this one vendor, and they only accessed the users that I mentioned. I challenge anyone to show otherwise.”
A ransomware group called Stormous has claimed responsibility for the attack. The group asserts it has obtained over 300 gigabytes of user data and has threatened to leak or sell the remaining data if its demands are not met.
However, Transak has stated that it is not considering negotiations with the ransomware group. Another recent incident affected users of Fidelity Investments, a financial firm and issuer of crypto exchange-traded products (ETPs). Fidelity disclosed a data breach that exposed information of over 77,000 customers between Aug.
17 and Aug. 19. This was Fidelity’s fourth data breach over the last 12 months, with prior incidents occurring on March 4, March 18, and July 19.
Both companies are taking necessary steps to enhance their security measures and prevent similar breaches in the future.
