Edition "Businessman”Reported that Sberbank's customer data is being sold on the black market, including information on 60 million cards (both active and closed, as the bank currently has about 18 million active cards). According to the publication, the leak could have occurred at the end of August this year and is one of the largest in the Russian banking sector.
It is reported that an announcement about the sale of a “fresh base of a large bank” appeared last weekend at an unnamed specialized forum blocked by Roskomnadzor (according to Group-IB, announcements about the sale of a huge banking base appeared in at least 5 different forums on September 28). According to the seller, he sells data on more than 60 million bank cards. The first to notice the announcement and attracted the attention of journalists was the founder of DeviceLock, Ashot Hovhannisyan. The seller offers potential buyers a trial fragment of the base of 200 lines, and representatives of the publication studied it.
The table provided for the test contained, in particular, detailed personal data, detailed financial information about the credit card and transactions. The date of the leak, which may indicate the date of the leak, is indicated on August 24, 2019. The words way4 or w4 were also discovered, which may refer to the Way4 processing platform, which Sberbank has been using for about ten years.
To verify this data, journalists found customers from the proposed "probe" in social networks, and also studied information on card and phone numbers in the Sberbank mobile application, which, when transferring funds, allows you to see some of the information about the recipient's name. According to the seller, the base is divided into 11 parts (this is exactly how many Sberbank has territorial banks), and it sells each line for 5 rubles. To test the hypothesis, correspondents asked to find their data in the database. The seller provided information about the credit cards of correspondents, including at their previous places of work, which have changed over the past three years. The numbers of the credit card opening agreements and the names of the employees who signed them coincide.
A Kommersant source close to the Central Bank also studied the “probe” and expressed confidence that it was an unloading of Sberbank’s base, and not, for example, “breaking through” obtained as a result of bribing employees. According to other interlocutors of the publication, information security specialists of large banks, judging by the nature of the test file, the leak could have occurred from the bank.
According to another source, the information is similar to unloading data from the repository by someone who had administrative access, "this is indirectly indicated by the fact that the bank card numbers in the database are not masked." Another expert noted that, purely theoretically, such data can be obtained by gluing data from the point of issuing cards and data from processing, but in this case this is unlikely, given the amount of data. “If it’s a fake, it’s very high quality,” another expert said.
Ashot Hovhannisyan claims that DeviceLock analyzed about 240 records out of the estimated 60 million and “can confirm that they contain data of real people who have card accounts in Sberbank”. In his opinion, the database may be a saved copy (full or not) of the Way4 product database.
“This is the largest and most detailed banking database that has ever come to us from the black market,” notes Hovhannisyan. “The set of fields is really amazing.” In his opinion, the consequences of the leak will be noticeable for the entire industry. She will deal with the Central Bank and Roskomnadzor and, most likely, law enforcement agencies. If there are residents or EU citizens among the clients, then the bank, in accordance with the GDPR law, will have to notify the Commission about the incident.
Sberbank representatives have already prepared Press releasededicated to what is happening. He says that yesterday Sberbank became aware of a possible leak of credit card accounts, which affects at least 200 customers of the bank.
“At the moment, an internal investigation is being conducted and its results will be announced additionally. The main version of the incident is the deliberate criminal actions of one of the employees, since external penetration into the database is impossible due to its isolation from the external network. In any case, the stolen information does not threaten the safety of customers ’funds,” Sberbank said.
Also, representatives of Sberbank told Kommersant that data leakage through external hacking of systems is impossible in principle, since all customer databases are completely isolated from the external network. They also emphasized that the declared amount of compromised cards is "impossible, since the total volume of active credit cards is several times less." Thus, if the information about the leak is confirmed, it could only happen as a result of deliberate criminal actions by one of the bank employees.