A recent data breach at the crypto payment processor Transak exposed the information of more than 92,000 people after an employee’s laptop was accessed.
The company said on Sunday that “no financially sensitive or critical information was compromised” but admitted that names, birthdays, passports, driver’s license information and user selfies were leaked in the breach.
In a statement, the Miami-based company said the incident only affected about 1% of its user base. A “sophisticated phishing attack” granted the attacker access to an unnamed know-your-customer vendor Transak uses for document scanning and verification.
One of the largest cryptocurrency infrastructure providers, Transakd serves nearly six million users across 160 countries and 46 U.S. states. The platform lets users and businesses buy and sell more than 170 types of cryptocurrency and non-fungible tokens (NFT).
Transak said it “operates as a fully non-custodial platform, meaning that user funds — whether fiat or cryptocurrency — are never held by us and therefore remain completely secure and unaffected by any such attack.”
“Users retain full control over their assets at all times, ensuring that no funds are ever at risk,” the company said.
They did not say when the breach occurred or whether the hacker has contacted them about the stolen information.
The Stormous ransomware gang took credit for the theft on Monday, claiming to have stolen 300 gigabytes of data that includes “government-issued IDs, proof of address, financial statements, and user selfies.”
The group said it plans to sell or leak the data if the company does not pay them a ransom.
Transak said in its statement that it hired a cybersecurity company to investigate the incident, identify how the information was breached and cut off hacker access.
Company officials plan to contact affected users through email and noted they are “reaching out to any affected partners to share transparency on how they were affected.” They did not explain which partners were affected and how.
Transak said it has notified officials at the U.K.’s Information Commissioner’s Office (ICO) and other regulators in the EU and U.S, and they urged customers to contact the company if they have questions.
Cryptocurrency-focused companies continue to face a barrage of both cybercriminal and nation-state threats. Just last week, more than $50 million worth of cryptocurrency was stolen from decentralized finance platform Radiant Capital.
Recorded Future
Intelligence Cloud.