Data Security
Signzy
Signzy, an online ID verification company, has confirmed a cybersecurity inciden...
Signzy, a vendor providing verification services, confirmed a security incident that has impacted its global clientele, including major banks and fintech companies. The startup, which onboarded over 10 million customers monthly, faced a cyberattack, raising concerns about data safety.
Signzy confirmed the incident without providing details on its nature or scope, citing an ongoing investigation and security reasons. This news comes amid rising concerns over cybersecurity for financial institutions, given that Signzy works with over 600 financial entities, including India's largest banks.
## **Details of the Security Incident**
Multiple sources, including two major Signzy clients—PayU and ICICI Bank—informed [TechCrunch](https://techcrunch.com/2024/12/02/indian-online-id-verification-firm-signzy-confirms-security-incident/) that Signzy fell victim to a cyberattack last week.
The incident involved sensitive customer data, including personal identification details and financial records, potentially being exposed, as seen in a cybercrime forum post. India’s Computer Emergency Response Team (CERT-In) acknowledged awareness of the incident and mentioned it was actively managing the situation by monitoring affected systems, providing guidance, and coordinating with other agencies.
PayU, one of Signzy’s clients, clarified that it suffered no impact from the attack, likely due to its independent security measures and lack of direct data integration with Signzy's affected systems.
_"There is no impact on PayU customers or their data due to Signzy's [information](https://www.upguard.com/security-report/signzy) stealer malware,"_ stated Dimple Mehta, a PayU spokesperson. Similarly, ICICI Bank confirmed that their customer data remained unaffected.
## **Uncertain Impact on Customers**
Concerns linger as to the full impact on Signzy’s other customers, which include top financial institutions such as SBI, Mswipe, and Aditya Birla Financial Services, potentially facing data theft or service disruptions. The firm has engaged a professional cybersecurity agency to investigate the breach, but has yet to disclose whether any customer data had been compromised.
Debdoot Majumder, a spokesperson for Signzy, stated that the startup had informed its clients, regulators, and stakeholders of the measures being taken and provided a timeline of the investigation. However, when asked if the company had engaged with the Reserve Bank of India (RBI), Signzy confirmed no such communication had taken place. The RBI did not respond to requests for comment.
## **Rising Concerns Over Data Security**
The incident highlights the increasing threat that cyberattacks pose to financial infrastructure, with cybercrime-related financial losses reaching $4.2 billion globally in 2023, according to industry reports. With over 600 clients, Signzy is a major player in the identity verification ecosystem, providing services across multiple industries. The potential exposure raises significant concerns, especially given the critical nature of ID verification for preventing fraud and financial crimes.
Experts warn that financial institutions must enhance cybersecurity as they increasingly rely on digital onboarding, such as implementing multi-factor authentication, conducting regular security audits, and training employees on phishing prevention. The involvement of information-stealer malware suggests a targeted attack, making it imperative for other stakeholders in the financial sector to assess their security postures by updating software, conducting vulnerability tests, and ensuring timely patch management.
## **Signzy's Action Plan**
Signzy has stated that it is cooperating with authorities and has retained cybersecurity professionals to address the incident, including conducting forensic analysis, securing affected systems, and implementing additional safeguards to prevent future breaches. Backed by investors such as Mastercard, Vertex Ventures, Kalaari Capital, and Gaja Capital, the company is under pressure to ensure that its internal security framework is resilient enough to protect its users.
As part of the ongoing investigation, Signzy's leadership is expected to provide more details regarding how the incident occurred, what data might have been affected, and steps to prevent similar breaches. Investors and clients will be watching closely for updates, particularly given the growth in reliance on digital identity solutions.