The personal details of millions of Sberbank customers may have been leaked, in what would be the largest-ever data breach in Russian banking, according to cyber security experts.
Analysts at cybersecurity firm DeviceLock found personal information relating to up to 60 million Sberbank credit card holders for sale on the black market. They were able to analyse the data of around 200 supposed customers — provided to them by the seller — and verified their authenticity.
Russian newspaper Kommersant further verified some of the data by successfully finding the credit card details of its own journalists in the database, including personal details such as their place of employment for the last three years.
“This is the largest and most detailed banking database that has ever appeared on the black market,” DeviceLock founder Ashot Oganesyan said.
“In the world ranking of bank leaks, this can be considered a large incident. For the Russian market, this is an absolute record, at least for the last ten years,” he told The Moscow Times.
The data appeared for sale on a website which is blocked by Russia’s communications regulator Roskomnadzor. It is thought the data breach could have occurred at the end of August.
Sberbank confirmed that the data of “at least 200 clients” has been leaked, saying that the leak must have come from a bank employee. They said customer funds were not at risk.
In an official statement on its website the Bank said:
“At the moment, an internal investigation is being carried out and its results will be reported in the future. The most likely explanation of the incident is the deliberate criminal action of an employee, as external penetration into the database is impossible due to its isolation from the external network. The stolen information, in any case, does not threaten the safety of customer funds,” the statement added.
Specifically, Sberbank told Kommersant that since the leaked information does not contain the credit cards’ three-digit CVV codes, and that customers also require a verification code through text message to make online payments, customers are not at risk of fraud.
However, Oganesyan told The Moscow Times that Sberbank customers have been left exposed to “various types of fraud” as a result of the leak. He highlighted telephone fraud in particular, citing an incident earlier this year where Sberbank customers were called by fraudsters pretending to represent the bank.
Sberbank is Russia’s largest bank, holding 45% of all retail deposits and providing 41% of all consumer loans. The Russian state owns a controlling stake in the bank.