For the past year or more, I’ve been receiving numerous tips and notifications from trusted researchers about leaks and breaches involving entities in India. While some of the incidents involve alleged miscreants, other incidents involve human error or misconfiguration situations. But as many of us have experienced and reported, when it comes to data protection in India, it is often close to impossible to: (1) get entities in India to secure personal information and (2) notify them when their failures have been found by researchers (cf, this post). And then, as Brian Krebs has sadly noted, even when you do reach firms to notify them, they do not always respond appropriately.
Today, Gemini Advisory is releasing a new report their findings with respect to payment card data breaches in India. Of note, Stas Alforov and Christopher Thomas report that Gemini found more than 3.2 million Indian payment card records were compromised and posted for sale in 2018, which elevated India to third in the world in the total amount of stolen payment cards.
This was no small uptick, either. Gemini reports that they identified a 219% spike in Indian payment cards added that year due to a significant rise in stolen Card Not Present (CNP) and Card Present (CP) data.
Of special note, the increasing demand was supported by a 150% surge in the sale price of card data, from a median price of $6.90 USD (approx. 478.02 Indian Rupees) in 2017 to $17 USD (approx. 1,177.73 Indian Rupees) in 2018.
Based on their data and analyses:
Gemini Advisory assesses with high confidence that fraud levels in India, particularly CNP fraud, will likely surpass those of the United Kingdom in 2019, making Indian-issued payment cards the second-most targeted cards in the world.
You can read their full report at https://geminiadvisory.io/india-rising-cybercrime-frontier/
Given how many U.S. firms outsource to India, Gemini’s report serves as a timely reminder that companies need to pay heightened attention to the data security deployed by their third-party providers or vendors. This also applies to the healthcare sector as payment card data, if linked to a patient’s name, are considered identifiers under HIPAA.