Sberbank, the largest bank in Russia with a regional and global presence, has suffered a major data breach. Personal information belonging to millions of clients is now being sold on the black market. Initial analyses suggest the trove of data for sale is real, highlighting the risks associated with traditional banking.
Personal Information Put Up for Sale
The leak at Sberbank, a leading financial services provider with offices in 21 countries including other CIS members, the U.S., U.K., Central and Eastern Europe, may be the largest to date in the history of the Russian banking sector. The blow against its reputation comes after the industry experienced a similar attack earlier this year in which three other Russian banks were targeted.
The unknown new owners of the database, containing details for 60 million credit cards, are now selling the information online. An ad appeared this past weekend on a forum banned by the federal telecom watchdog, Roskomnadzor. Kommersant, the leading Russian business daily which broke the news, quotes digital security experts who believe the information is real, although not all of it may be current.
Potential buyers of the data lot have been offered a sample of entries. According to the publication, whose authors have examined the set, it contains the data of 200 clients from different Russian cities, served by Sberbank’s Ural branch. The tables provide the details of the account holders, their bank cards and associated transactions.
The date stated on the document is Aug. 4, 2019, possibly the day the leak took place. It also features the phrase “way4” and the abbreviation “w4.” The savings bank has been using a data processing platform called Way4 for around a decade. Sberbank confirmed the leak in a press release and revealed an internal investigation has been launched. The bank has not been able to identify any external cyberattacks and the main assumption at the moment points to “deliberate criminal actions of an employee.”
The Russian lender is currently checking the authenticity of the leaked information to confirm whether it is genuine. Sberbank representatives assured the public the funds stored in the leaked bank card accounts are not in danger of being misappropriated by parties unauthorized by its customers. The stolen information does not contain the CVV numbers of the cards and there’s also two-factor authentication via SMS for each transaction.
Leaked Data Is Real, Independent Checks Confirm
Ashot Oganesyan, founder of data leak prevention software provider Devicelock, claims his company has analyzed the released sample and been able to confirm it contains the personal data of real people. Trying to establish the truth for themselves, Kommersant journalists have attempted to find their own info in the database and the sellers provided them with the details of their own credit cards, including information about former employers.
According to their website, Sberbank now provides services to over 150 million clients worldwide. In Russia alone, the bank has around 92 million active retail customers and over 2.4 million corporate clients. The number of Sberbank’s active credit cards in the country is currently around 18 million. The database that’s on sale has been divided into 11 sets which corresponds to the number of the bank’s territorial branches.
Sberbank’s clients are only the latest victims of bank information theft in the Russian Federation. This past summer, 900,000 customers of OTP Bank, Alpha Bank, and HCF Bank had their names, phone numbers, passport details and employment information exposed. Among them were the personal details of 500 police officers and even 40 agents of the Federal Security Service (FSB).
Cases such as these, which are not an isolated Eastern European phenomenon, demonstrate the risks associated with the widely adopted banking sector practice of collecting detailed personal information, also known as know-your-customer (KYC) procedures. The data is usually stored in a centralized manner that increases its vulnerability to attacks targeting a bank’s systems.
With cryptocurrencies you are free to transact in a decentralized and private manner. The model introduced by Bitcoin does not require a trusted third party providing intermediary services. If you need to buy or sell coins such as bitcoin cash (BCH) and other major digital currencies you can do so on a peer-to-peer platform like local.Bitcoin.com.
What are your thoughts about the latest major credit card breach? Share your opinion on the subject in the comments section below.
Images courtesy of Shutterstock.
Do you need a reliable bitcoin mobile wallet to send, receive, and store your coins? Download one for free from us and then head to our Purchase Bitcoin page where you can quickly buy bitcoin with a credit card.