Sberbank, the largest bank in Russia with a regional and global presence, has reportedly suffered a major data breach. Personal information belonging to millions of clients is now being sold on the black market. Initial analyses suggest the trove of data for sale is real, highlighting the risks associated with traditional banking.
Personal Information Put Up for Sale
The leak at Sberbank, a leading financial services provider with offices in 21 countries including other CIS members, the U.S., U.K., Central and Eastern Europe, may be the largest to date in the history of the Russian banking sector. The blow against its reputation comes after the industry experienced a similar attack earlier this year in which three other Russian banks were targeted.
The unknown new owners of the database claim it contains details for 60 million credit cards and are now selling the information online. An ad appeared this past weekend on a forum banned by the federal telecom watchdog, Roskomnadzor. Kommersant, the leading Russian business daily which broke the news, quotes digital security experts who believe the information is real, although not all of it may be current.
Potential buyers of the data lot have been offered a sample of entries. According to the publication, whose authors have examined the set, it contains the data of 200 clients from different Russian cities, served by Sberbank’s Ural branch. The tables provide the details of the account holders, their bank cards and associated transactions.
The date stated on the document is Aug. 4, 2019, possibly the day the leak took place. Sberbank confirmed the “possible leak” and revealed an internal investigation has been launched. “In the evening of Oct. 2, 2019, Sberbank became aware of a possible leak of credit card accounts, which affects at least 200 customers of the bank,” reads a press release published on its website the same day.
The bank has not been able to identify any external cyberattacks and the main initial assumption, “deliberate criminal actions of an employee” with administrative rights, was later confirmed by its investigation. A 28-year-old employee has been implicated in leaking the clients’ data, Vedomosti reported on October 5.
In a Facebook message published on October 3, the institution pointed out that “The funds in the credit cards of all our customers, including those whose data has been leaked to the Internet, are safe. Accounting records of credit cards do not enable fraudsters to steal anything: they contain no CVV codes, logins or passwords for online banking. Besides, the bank’s anti-fraud systems prevent fraudulent operations on a regular basis.”
Leaked Data Is Real, Independent Checks Confirm
Ashot Oganesyan, founder of data leak prevention software provider Devicelock, claims his company has analyzed the released sample and been able to confirm it contains the personal data of real people. Trying to establish the truth for themselves, Kommersant journalists have attempted to find their own info in the database and the sellers provided them with the details of their own credit cards, including information about former employers.
According to their website, Sberbank now provides services to over 150 million clients worldwide. In Russia alone, the bank has around 92 million active retail customers and over 2.4 million corporate clients. The number of Sberbank’s active credit cards in the country is currently around 18 million. The database that’s on sale has been divided into 11 sets which corresponds to the number of the bank’s territorial branches.
Sberbank’s clients are only the latest victims of bank information theft in the Russian Federation. This past summer, 900,000 customers of OTP Bank, Alpha Bank, and HCF Bank had their names, phone numbers, passport details and employment information exposed. Among them were the personal details of 500 police officers and even 40 agents of the Federal Security Service (FSB).
Cases such as these, which are not an isolated Eastern European phenomenon, demonstrate the risks associated with the widely adopted banking sector practice of collecting detailed personal information, also known as know-your-customer (KYC) procedures. The data is usually stored in a centralized manner that increases its vulnerability to attacks targeting a bank’s systems.
With cryptocurrencies you are free to transact in a decentralized and private manner. The model introduced by Bitcoin does not require a trusted third party providing intermediary services. If you need to buy or sell coins such as bitcoin cash (BCH) and other major digital currencies you can do so on a peer-to-peer platform like local.Bitcoin.com.
What are your thoughts about the latest major credit card breach? Share your opinion on the subject in the comments section below.
Images courtesy of Shutterstock.