Earlier this year, a security consultant from Telus Security Solutions, Milind Bhargava revealed that over 70,000 Canadian credit card numbers were listed for sale on a dark web market.
Bhargava released the findings as part of a presentation that was aimed at providing insight on just how much personal information from Canada was available on dark web markets.
He announced this at a SecTor conference held in Toronto.
Credit Cards Were All From One Province
Bhargava’s division, which is usually tasked with monitoring dark web sites that deal in the sale of credit cards for their corporate clients, said that like any other credit and debit cards, Canadian credit cards were easy to identify using the first six digits on the card.
These identify the type of card and also the bank it is affiliated with. As it stands, no organization has claimed credit card theft.
In his presentation, Bhargava said that more than 70,000 Canadian credit cards were suddenly put up for sale on the dark web following the data breach.
Despite the cards being from multiple banks, the security consultant noted that they all came from the same province.
Bhargava noted that it was rare to find such a large amount of stolen credit card information coming from such a localized area. He refused to disclose the identity of the province in question.
Data Breach was Some Form of Contest
The stolen Canadian credit cards were on sale for as little as forty cents to as much as $3. The expiry dates on the cards ranged from this year to 2020.
According to Bhargava, there is no clear indication as to how or when exactly the data breach occurred.
The only assumption that could be derived from the situation was that the data collection may have happened for at least over a year.
He also speculated that due to the fact that the cards were sourced from all over Canada, it was possible that the credit card data collection was hosted by some sort of an organization as a contest.
Cyintelligence Inc. Emphasizes on Diligence in Protecting Organizational Data
The CEO of Cytelligence Inc., Daniel Tobok, was not impressed by the figures, saying that the discovery of 70,000 Canadian cards on the dark web market was not that astonishing.
The former managing director of the forensics and security consulting division at Telus, who is now the current head of the Toronto-based digital security consulting firm Cytelligence Inc., divulged in an interview that an upwards of 400,000 different credit and debit cards from Canadian banks are currently on the dark web.
He confirmed the speculation that Canadian cybercrime is largely underestimated, saying that Canada is just as targeted by cyber criminals and malware attacks as any other country.
What’s more, these dark web criminals seek more than just credit card information.
Human resource department databases are often raided for personal data such as social security numbers and T4 income tax information, among other sensitive information.
As Tobok divulged in the interview, his firm had recently been investigating year-long data breaches that resulted in the thefts of approximately 18,000 records containing credit card information and T4 income tax information from a Canadian organization, which he refused to name.
The organization’s security was breached using a carefully executed phishing scam which included email spoofing to install malware in order to breach the organization’s security.
The organization in question was negligent, in Tobok’s opinion, as they had last carried out a thorough security audit two and a half years ago.
Stolen Information Unverifiable
In Bhargava’s presentation alongside Telus consultant Peter Desfigies, he highlighted the fact that despite the alarming amount of Canadian data available for sale on the dark web, there was no way to verify the legitimacy of the stolen data on offer.
However, the availability of Canadian Interac accounts from almost all the major banks in Canada, which came with all the necessary information such as usernames, passwords, and PIN codes, and even security questions spoke volumes about the legitimacy of the stolen information.
Bhargava is, however, sure that little can deter criminals from piecing together bits of data even without the assurance of verification.
He himself had previously been a target of a crime under the pretense of a Canadian government official who tried to extort him in connection with an immigration violation.
The anonymous caller had every bit of Bhargava’s information down pat.