Highlights:
- Transak reports a security breach affecting 92,554 users after a phishing attack on an employee’s laptop
- However, no financial data was compromised, unlike personal information such as IDs, passports and selfie snapshots.
- Transak has contacted authorities and is working to protect affected users and improve future security.
Transak, a cryptocurrency on-ramp service, revealed it suffered a security breach affecting 92,554 users. This was followed by phishing that penetrated an employee’s laptop and gained unauthorized access to sensitive personal data held by a third-party Know Your Customer (KYC) vendor. According to Transak’s official statement on October 21, the attacker exploited the employee’s credentials to access user information.
Crypto payment provider Transak announced that the company recently suffered a security incident, resulting in the leakage of basic identity information of 1.14% of users. The attacker gained access to an employee's laptop through a complex phishing attack and then logged into…
— Wu Blockchain (@WuBlockchain) October 21, 2024
The compromised data included names, dates of birth, passports and driver’s licenses, and selfies taken to verify accounts. Transak, however, assured the users that there were no damages caused to financial data, for example, credit card details, Social Security number and email addresses. The company also confirmed that its non-custodial nature means users retain full control over their assets, ensuring funds were never at risk.
Phishing Attack Triggers Security Incident
The breach was traced to a phishing attack targeting one of Transak’s employees. This allowed a malicious actor to gain access to the employee’s laptop and, subsequently, to the system of a third-party KYC vendor used for document verification services. Through this unauthorized access, the attacker exposed the personal details of approximately 1.14% of Transak’s user base.
So far there is no evidence of data misuse. However, the incident has raised concerns about the vulnerability of third-party systems in the cryptocurrency industry. Transak immediately contacted affected users and notified data protection authorities in the UK, European Union and the United States. Users who were not affected will not be contacted, the company confirmed.
Stormous Ransomware Group Claims Responsibility
The Stormous ransomware group claimed responsibility. Moreover, they said they acquired 300 gigabytes of sensitive data, including personal documents used in the KYC process. It reportedly stated that some of the leaked data is online. Transak has not negotiated with the group, which demanded a ransom to prevent the release of further stolen information.
🚨Cyberattack Alert ‼️
🇺🇸USA – Transak
Stormous hacking group claims to have breached Transak, a developer integration for a fiat-to-crypto payment gateway.
Allegedly, 300 GB of sensitive personal documents, including government-issued IDs, proof of address, financial… pic.twitter.com/edy856IfQZ
— HackManac (@H4ckManac) October 21, 2024
In response to the breach, Transak has committed to improving its security measures to prevent future incidents. The company plans to enhance employee training and strengthen its systems to guard against phishing attacks and other forms of social engineering.
Response and Ongoing Investigation
Transak responded to the breach by contacting a leading cybersecurity and forensic firm to investigate the incident. The company has also taken stronger security measures to prevent future phishing attacks. Some of these improvements include adding employee training, upgrading software defenses, and restricting access to sensitive systems.
Additionally, Transak is contacting affected users, asking them to remain cautious and watch for any suspicious activity. The company has offered users resources like identity monitoring that may help them guard against the misuse of their personal information.
However, Transak said its financial systems remained secure despite the breach, and no financial data was compromised during the attack. The firm operates a fully non-custodial platform, which means Transak never has users’ assets while they are always in total control of them.
The incident comes after a data breach at Fidelity Investments exposed personal information of over 77,000 customers. In addition, Tapioca DAO has offered a $1M bounty following the October 18 security breach, which led to a $4.7 loss. These breaches spotlight companies’ ongoing struggles to guard information regarding clients as well as guard users’ assets in the crypto and finance areas.