On the morning of November 5, 2019, journalists RBC they said that information about Alfa-Bank credit card holders and Alfa Insurance customers was put up for sale on the network. The seller, who published the corresponding announcement on one of the specialized forums, said that he has up-to-date data on about 3,500 customers of the bank and about 3,000 Alfa Insurance clients.
The free "sampler" provided by the seller contains thirteen Alfa Bank customer agreements and ten Alfa Insurance contracts. The agreements contain a full name, mobile phone number, passport data, registration address, the amount of the credit limit or insurance issued, the subject of insurance, as well as the date of conclusion of the agreement. According to the seller, all Alfa-Bank agreements that he has at his disposal were drawn up in October, and the base was unloaded on October 22 this year. Alfa Insurance contracts are executed on the same day – May 8, 2019.
RBC journalists verified the validity of this information. When trying to transfer money to the bank’s clients via a mobile application by phone number in 11 cases out of 13, the names, patronymics and first letters of last names in the application coincided with those specified in the agreement, the remaining two phone numbers were not linked to the bank card. Up to nine clients managed to get through: most of them, including those who could not be verified through the mobile application, confirmed that they had recently issued a credit card at Alfa Bank. One of the clients has already managed to call scammers, he blocked the card.
Customer data specified in Alfa Insurance contracts have not been confirmed as a result of verification. Part of the contracts does not contain a full name or phone number, several more contain erroneous patronymics and the subject of insurance. They managed to get through only four out of ten numbers, none of the interlocutors were able to fully confirm the information or refused to speak at all.
Alfa Bank representatives already confirmed by the media the fact of leakage of personal data of a small number of customers. It is reported that at the moment the bank is reliably aware of the illegal distribution of personal data of 15 customers. The Bank is already conducting an internal investigation "to identify the extent of the incident and the circumstances that resulted in such data being made available to third parties."
“It has been reliably established that the occurrence of this situation is not the result of a violation of the protection of the bank's corporate information system. A leak does not endanger the funds in customer accounts, as it does not contain any data necessary to access the accounts, ”the representative of Alfa Bank emphasizes.
Contracts that have been made publicly available do not really contain card numbers and CVV codes, however, leaked data can still be used by scammers in combination with social engineering and phishing techniques. So, attackers can call a client under the guise of a bank and find out the necessary information to steal money.
A representative of AlfaStrakhovaniya told RBC that the company “is aware of the facts of posting on the Internet advertisements for the sale of data on electronic device insurance contracts”. AlfaStrakhovanie has already introduced additional security measures, now it is conducting an investigation and checking the published data. “Further measures that the company will take will be determined based on the results of the investigation,” he added.