Update on Transak Security Incident

Published:

Updated:

AW

 

In our continued commitment to transparency, we want to provide a further update regarding the recent security incident involving a third-party KYC vendor. Since securing and remediating the incident, our systems are fully operational and more secure and reliable than ever. We are confident that we will continue to grow alongside the industry as a leading fiat on/off-ramp provider.

Recap of the Incident

In our previous update, we disclosed that an unauthorised actor gained access to a third-party KYC vendor’s dashboard, and accessed up to 1.14% of our user base (up to 92,554 users). This system is entirely external to Transak’s core infrastructure, and we want to make it clear that no internal Transak systems were compromised as a result of this incident.

The attacker gained access to the KYC vendor’s platform using compromised employee credentials. Our audits and forensics have determined that there was only access to a single third-party KYC vendor, which has now been secured and remediated, and that no other systems were accessed. The employee and the employee’s laptop access have been removed from our systems.

Although no customer funds or financially sensitive data were compromised, this incident has provided valuable insights. At Transak, we take these lessons seriously and are committed to learning and improving. We believe that transparency is key to building trust, and by openly discussing security challenges like this, we help raise awareness and strengthen the security posture of the entire community. Our goal is to ensure that both our users and the broader ecosystem remain protected.

Personal Information Impacted

Here is a breakdown of the Personally Identifiable Information (PII) that was and was not affected in this incident:

Data Type

Accessed

Name

Yes

Date of Birth

Yes

ID Documents

Yes

Selfie Photos/Videos

Yes

Email Address

No

Phone Number

No

Wallet Address

No

Credit Card Details

No

Bank Account Details

No

Social Security Number

No

Passwords

No

Financial Transaction Data

No

While personal identity information such as names, dates of birth, ID documents, and selfie photos were accessed, no financial data, email addresses, phone numbers, wallet addresses, or passwords were compromised. Our internal systems remain fully secure and unaffected by the incident.

Securing Our Platform and Enhancing Third-Party Systems Post-Incident

We have taken immediate and comprehensive steps to strengthen both our platform and our vendors’ security measures:

  1. Enforced Hardware-Based MFA: For accessing any of our third-party vendor platforms where sensitive data is stored, we have now mandated hardware MFA as an added layer of security.
  2. Improved Monitoring and Alerts:. Post-incident, we have worked closely with the vendor to implement stronger, more comprehensive monitoring systems that will quickly flag unusual activity and trigger alerts. 
  3. Endpoint Security Upgrades: We have enhanced endpoint protection across all employee devices to detect malicious activities early, including phishing and key-logging attempts.
  4. Access Review and Restriction: We reviewed access across all business-critical platforms and removed unnecessary permissions, limiting access to essential personnel only.
  5. Vendor Security Audits: We are conducting more frequent security audits of all third-party vendors to ensure compliance with our enhanced security standards.
  6. Employee Training: Our team has undergone additional security awareness training, focusing on phishing prevention and best practices for password management.

We are actively updating our users, partners and regulators about the incident

We are actively engaging with the impacted users, partners and regulators and updating them on this incident and providing any data that we can at this moment:

  1. User Notification and Support: We are proactively notifying all users who were potentially affected by this security incident. So far, we have already informed users in the UK and Europe, and we are in the process of reaching out to users in the US and the rest of the world. As a precautionary step, we are also offering free credit monitoring and dark web monitoring services to eligible users to support those affected in monitoring for any potential misuse of their information. If you haven’t received an email from us by 31st October 2024, it means your account was not impacted by this incident.
  2. Partner Notification: We are also proactively reaching out to all partners whose users were impacted by the incident. If your users were affected, you would have received an email from us on the official account associated with your partnership. If you haven’t received any communication from us yet, this means that none of your users were affected by this incident.
  3. Law Enforcement & Regulatory Reporting: We proactively reported the Incident to relevant data protection authorities and law enforcement.

Assurance of Transak’s Internal Security

We want to reiterate that Transak’s internal systems were not compromised. This breach occurred exclusively within the third-party KYC vendor’s platform.

Transak operates as a non-custodial platform, meaning that user funds—whether in fiat or cryptocurrency—are never held by us and were not at risk at any time.

To further ensure compliance, we’ve integrated real-time device and process monitoring across tools, automating our SOC 2 Type II and ISO 27001 compliance. It monitors all the employee’s devices, checking disk encryption, antivirus status, and session controls, and sends alerts to administrators if any violations occur.

Learn more about Transak’s security here: https://transak.com/security

Looking Ahead

Security and reliability is a core part of what we do at Transak, and we want to assure our users and partners that we have implemented measures to prevent incidents like this in the future. Our teams are working closely with leading cybersecurity experts and legal authorities to ensure that every aspect of this incident is addressed. We have also reported the incident to relevant data protection and law enforcement authorities and are following the appropriate legal processes to maintain compliance. For any questions, please don’t hesitate to reach out to us at [email protected].

We thank you for your trust in Transak.

Transak Security Team

About the Author:

Transak Team