e-Pay data breach – a case study

Introduction

e-Pay is a solution part of GHL group of companies. Based on their website, e-Pay is was founded when Malaysia’s telco industry was just emerging in the late nineties. We have been providing top-up services ever since prepaid mobile plans became popular. Since our simpler beginnings, e-pay has expanded to include a host of other e-payment services, allowing us to drop our earlier moniker “One Stop Prepaid Reload” to adopt the now more accurate “One Stop E-Payment Service Provider”. Our network has grown fast, as we continue to build bridges between Product Partners, Merchants and Consumers across the entire nation, and now expanding out into Asia Pacific.

If you visit e-Pay’s website, it seems like business as usual. They have the promos on their website on their product and services. Everything seems normal. But is it?

On Feb 2021

@bank_security revealed that data breach occurred, revealing personal details of over 300,000 E-Pay customers exposed online. A threat actor was spotted selling a database of 380,000 customers on an data sharing forum for USD 300 (about RM1,215), which translates to be about 0.32 sen per user.

Further looking into the metadata reveals that a wealth of personal information was made available. The usual stuff (login, password) but what caught my attention was data of birth (?), nationality (?), which seems to indicate that the breach data isn’t just payment information, but seem to indicate information that is typically captured during a signup process.

These type of data are common in breaches. You’ll find past breaches having similar types of data being exposed.

What did e-Pay say?

TheEdgeMarket took a step further and contacted GHL on the matter. GHL released a statement saying that “currently investigating these serious allegations and are checking our system”. GHL asserts that the allegations are limited only to the e-pay online reload and bill payment collection system (E.V.E) and does not impact other e-pay and GHL businesses and operations

For a company that’s investigation a supposed breach, they seem to know exactly where the breach may have happened. Good sign of system awareness I suppose.

GHL adds further that the E.V.E system operates on an independent stand-alone system which does not interfere with the technical operations of other e-pay and GHL merchant acquiring systems and servers.

“Investigations are still underway and we will continue to update on the progress and any new findings. In the meantime, we would advise E.V.E users to go to our official website and change their passwords as precautionary measures.”

“E.V.E users should not click on unverified e-mail links urging them to update their credentials but to do so only on our official website,” it said.

Nothing out of ordinary, but i’m curious as to why a bill payment system needs data of birth or even nationality?

It would have seen passable as any other breach, but then a new piece of puzzle emerged.

What happened in 2020?

Kela, an organization that performs dark net monitoring issued a startling statement in their social media account.

According to Kela, based on the posting above, the breach data has been around for some time.  Specifically the same breach data has been published before, namely March 2020 and August 2020. The reporting on the breach by @bank_security was on February 2021.

The is raises some fundamental question about the whole incident.

  1. Was e-Pay aware that they’ve been breached at 2020?
  2. Was e-Pay  only made to be aware of the breach because of the recent reporting?
  3. By making a statement that only one system (EVE) was affected, how did they excluded others? It seems that either they know more about the breach, or trying to stem bleed from casting doubt on other systems.
  4. Will they release a full statement on this matter (have to wait and see)
  5. Instead of making a blanket statement, have GHL/e-Pay reached out to their customers regarding  this matter?
  6. As this is a PII breach, I’m wondering if PDPC (Personal Data Protection Commission)/MCMC (Communications and Multimedia Commission)  to issue a statement on this matter?

Conclusion

While this incident highlights the issue with one organization, it exposes a larger problem. There is no framework that compels organizations to publicly disclosure breaches. This is due to 2 factors. Lack of laws governing data breaches and shame factor. I’m reminded of an organization (believe was a financial) had huge IT meltdown causing their operations to be severely affected which was rumoured to be a ransomware attack but downplayed it as an IT glitch. After that, no further reporting or coverage was seen on that matter.

I lauded the efforts of FireEye for coming up front about Solarwinds attack. Malaysia needs to normalise breach reporting and notification, especially so when personal information and in this case payment information experiences data breach.

Reference:

  1. E-pay website – https://www.e-pay.com.my/
  2. SoyaCincau website – https://www.soyacincau.com/2021/02/04/e-pay-customer-database-breach-380000-sale-forum/
  3. The Edge Market: https://www.theedgemarkets.com/article/ghl-system-investigating-epay-data-breach-claims
  4. KELA – https://ke-la.com/