India’s Signzy, a platform for online ID verification and digital onboarding that lists the countries four biggest, and more than 600 financial institutions around the world among its clients – has confirmed “a security incident.”
The know-your-customer (KYC) verification company, which has been operating since 2015, reacted in this way to reports that customer data had allegedly appeared on a cybercrime forum, for a short amount of time.
Related: Rise in Stolen Singaporean ID Data Shows The Dangers of Digital ID
The event provides a good example of the dangers and pitfalls that accompany digital ID schemes, from the security point of view alone.
This fintech company counts Mastercard and a number of large venture capital firms among its investors, while its monthly onboarding figure for individuals and businesses amounts to 10 million.
The attack – which involved an information stealer malware, according to one of Signzy’s clients, the Netherlands-based PayU, took place last week.
This payment service also said the data of its customers was not compromised. TechCrunch is reporting this, based on claims of having seen a post on the cybercrime forum – because of which sources concerned about customer data contacted the outlet.
India’s ICICI Bank, another Signzy client, said that it suffered no negative consequences from the attack.
Now, Signzy confirmed the attack but was unwilling to provide any details, including whether data had been extracted from their devices. Another confirmation of the incident itself came from India’s CERT-In, the government’s Computer Emergency Response Team.
The Indian central bank, meanwhile, was not willing to comment on the situation.
Both Signzy and CERT-In are now “taking action” and “investigating” what happened – with a Signzy spokesman saying a third party, a “professional security service,” has been hired to find out what exactly happened.
Although Signzy would not say if data had been taken from its systems, PayU mentioning the type of malware involved suggests that this risk is realistic.
“Infostealer” software’s “specialty” targets are financial and business data as well as that belonging to individuals – and that includes credit card numbers, passwords, etc.
If successful, these attacks allow people behind them to carry out a range of criminal activities, including those tied to identity theft.
