In a long investigative article this week Forbes examines the 2009 and 2010 hacks of online gambling payments processors Moneybookers and Neteller, revealing that although these initially appeared innocuous, it has since transpired that millions of users’ private data – addresses, emails, telephone numbers, birth dates and, in the case of Neteller, answers to password hints – fell into criminal hands.
“The details are only now being made public by Optimal Payments, the London-based owner of both Moneybookers (now Skrill) and Neteller, after disclosure from Forbes,” the article claims, noting that the company is now reinvestigating the hacks and the possibility of further breaches.
The author of the article was handed information by an anonymous source on two databases they said were leaked sometime around 2011 and 2012. These were checked by security expert Troy Hunt, who verified a sample of the entries.
Realising that some of the information could still be used to prejudice consumers, on October 29 Neteller parent group Optimal was given a heads up by the author, along with screenshots of the databases.
The company subsequently publicly confirmed Moneybookers and Neteller were both victims of cyberattacks, back in 2009 and 2010 respectively.
The companies reported the attacks to the Financial Services Authority (now the Financial Conduct Authority) at the time, and Deloitte carried out subsequent investigations.
To the best of its knowledge, Optimal said, neither Neteller nor Moneybookers customers suffered any financial losses as a result of the breach.
Neither breach was disclosed to customers at the time, due to the apparent insignificance of the breaches.
However, the Forbes article points out, the databases contained 4.5 million and 3.6 million records for Moneybookers and Neteller respectively. And, with password hints, home addresses, emails and telephone numbers, they appeared to contain sensitive data.
“That the leaks contained millions of records is certainly not out of the question. Skrill (Moneybookers) is said to have more than 11 million account holders, whilst Neteller claims to have “millions” of customers.
“Online estimates ranged from 2 to 10 million Neteller users. Optimal, which is listed on the London Stock Exchange Alternative Investment Market (AIM), shifts billions of dollars every year across 200 countries, though it didn’t provide numbers of customers. It runs a host of other payments companies too, including Netbanx, Global Merchant Advisors and Meritus,” Forbes reports.
Forbes notes that in its meeting with Optimal representatives in London the company was “refreshingly transparent about what happened in 2009 and 2010.”
Optimal executives said the Neteller breach occurred when a Joomla content management system was exploited, allowing the attackers to run scripts that effectively gave them command and control over that server. As the server was used for marketing purposes, it did not contain any financial information – “not the guts and the meat and potatoes of our systems”. The hackers were not able to pivot to exploit Neteller further, according to a Deloitte report on the attack. CEO Joel Leonoff reiterated there was no indication any financial information was taken.
As for Moneybookers, a post-breach report from Optimal revealed the hacker compromised a virtual private network (VPN) account to gain access to a production database. The forensic investigator found certain records were transferred to the attacker, but attempts to grab information failed on two occasions, and the investigator believed the likelihood of a successful export was low.
Forbes and the security consultant Hunt handed over the databases they have acquired to Optimal, but a week later have heard nothing further from the company.
The impact of the public disclosure of the breach by Optimal (following the Forbes heads up) was noticeable, with Reuters reporting that the company’s share price took a 11 percent hit.
Forbes has ensured that the FCA and the UK Information Commissioner’s Office have been notified of recent developments.
The publication says that the source of the databases it acquired claimed to be a middleman in brokering such deals, and that the Neteller and Moneybookers databases were shared between two unnamed parties. The source is now apparently assisting Optimal in its further enquiry into the issue.
Hunt praised Optimal for its public disclosure following the heads up, saying:
”They’ve handled this incident extremely professionally. They immediately grasped the severity of the problem and sought feedback from myself and others who may be able to help shed some light on the breach. I hope that their exemplary reception of ethical disclosure encourages others to speak up when they witness a serious crime of this nature.”
Forbes reports that there are few if any clues as to who was responsible for the Moneybookers and Neteller breaches. “If they’re still at large, they’re likely breaching all kinds of companies and getting away with it, whilst shady data traders are making money from illicit acts too,” it speculates.
Read the full, story here: