Binance Says KYC Data Leak ‘Fake’, but Is Investigating Blackmail Demand Source
Digital asset exchange Binance has spoken out about a so-called “leak” of its know-your-customer (KYC) data, posted earlier today in a Telegram group. In a statement, the company said the information posted was from February 2018, and hinted a bad actor had been blackmailing the company and demanding a 300 BTC ransom to withhold 10,000 registered user photos.
Subscribe to the Bitsonline YouTube channel for great videos featuring industry insiders & experts
Telegram Channel Posts Binance User Data, Gets Taken Down
The information reportedly appeared in a Telegram channel called “kycisimportant”. On Twitter, Binance encouraged people to report the group and at press time, it is no longer accessible.
Binance Global PR representative Leah Li told Bitsonline the Telegram team had taken down the group after multiple reports. Telegram regularly removes channels and users that attract complaints of spam, harassment, or other wrongdoing.
CEO Changpeng “CZ” Zhao called reports of the leak “FUD” (which generally means “untrue”) and “old news”, Binance’s online statement referred to a “false KYC leak”.
Don't fall into the "KYC leak" FUD. We are investigating, will update shortly.
— CZ Binance (@cz_binance) August 7, 2019
Binance is offering a bounty of 25 BTC to anyone who can offer useful information in tracking down the blackmailer — which suggests the data did in fact contain real customer information.
Leaked Data ‘Bears Similarity’ to Binance User Info
In a company blog post explaining the situation, Binance said the posts on Telegram “bear similarity to Binance KYC data”. The company added there “are inconsistencies when comparing this data to the data in our system” as they did not bear the digital watermark it imprints on the customer data it keeps.
However, the statement also noted Binance’s security team was investigating the incident with law enforcement agencies, and the third-party vendor it had contracted in 2018.
Reports of a leaked KYC data haul from Binance and fellow exchange Kraken had circulated as far back as January 2019. A hacker had previously contacted the company with demands for 300 BTC to keep the information private, but had been unable to prove the data they held was genuine.
It also noted that it had previously hired a third-party vendor to provide KYC verification services in February 2018, to handle the high volume of applications it had received. At the time, Binance had become wildly popular and many users had been unable to sign up for new accounts. There were reports of potential users offering money to those already signed up to transfer their accounts, as eager investors queued to gain access to the broad range of cryptocurrencies and ICO tokens Binance was trading.
What Is KYC Data and Why Is it Vulnerable?
KYC data collection is an international legal requirement for all banks and online exchanges to prevent money laundering, tax evasion and other financial crimes. Typically, it involves name and current address information, and a recognized photo identity document such as a passport or driver’s license. Many exchanges often require additional ID in the form of a selfie showing the user holding the document, to prevent anyone signing up with someone else’s information.
The requirement for so many companies to hold this data is often criticized, given the tendency of organizations both large and small to suffer breaches. Companies storing this data find themselves constantly under attack, as identity documents coupled with financial information like credit cards and bank account numbers can be lucrative for data thieves. This data is particularly vulnerable for that reason, and the fact that even organizations with (supposedly) rock solid storage security are still vulnerable to leaks via third-party contractors or inside sources — both past and present.
Large, well-known corporations such as Target, Equifax and (more recently) Capital One have all experienced massive customer data breaches in past years. The hacks exposed the personal data of millions of mainly American customers, most of which likely ended up for sale on darknet markets and led to large-scale identity theft.
Some have proposed blockchain-based systems for an internationally-recognized KYC and identity network, where data is encrypted and owners retain the private keys to this information. However there’s still the problem of who could access this data and how, with governments and companies always looking for faster and more convenient (for them) access to information about people’s lives and economic habits.
Have you ever been the victim of identity theft or a data breach? How did it affect you? Let us know about it in the comments, or share and discuss this article on social media.
Images via Binance, Pixabay