Banks are located throughout the world. They perform vital services for consumers and commercial organizations in every country they are located in. These are also connected with the respective nation’s banking systems. Another commonality is these hold a mass amount of data also. This is very attractive to the attackers for many reasons. This is also a concern for the consumers, as their personally identifiable information (PII) is in the hands of unauthorized persons. Sberbank is was targeted and data removed without their authorization. Sberbank is Russia’s largest bank, with 45% of all retail deposits within their bank and 41% of the consumer loans held. In this instance, the Russian state owns the controlling stake in the bank.
Obviously, the attack was successful, which is a problem. The organization estimates the breach occurred near the end of August 2019. The cause of this breach is unfortunately somewhat common, in the US and abroad. With employees, there is always the chance of the internal threat with the disgruntled, greedy, or unhappy employee. In this case, the bank is reporting the breach of data was due to an employee’s intentional acts. The bank noted it has to be an internal employee due to the data’s location being impossible to breach.
Later, the speculation ended when the bank reported the attacker had been apprehended. During the investigation, the employee had been focused on and eventually confessed. The employee was the head of one of the bank’s divisions. As part of their role, they had access to databases as part of their position, which explains how this was exfiltrated given the data’s remote location and access.
With the attack, millions of Sberbank’s customer’s personal data was allegedly initially leaked. Fortunately for the affected persons, the target was the data. The funds in the affected person’s account(s) were not targeted. The bank initially estimated 60M Sberbank credit cardholders have had their personal data stolen and was for sale on the dark web. This estimate appears to have been a bit inflated, and the true number was far less, possibly as low as 5k. The last reported sales price per entry at $0.08/record.
Surprisingly, the data leak and data for sale was not noticed by the bank. For instance, even if the amount of data was the 5k of records, seemingly this would have triggered some form of an alarm. After all, even a division manager probably would not have a need to download 5k individual records. Their position would be more engaged with summaries and forward-looking goals. This oversight was noticed by DeviceLock Cybersecurity, a cybersecurity organization when they noticed the data for sale on the dark web. At times, the seller may make fantastic claims of the data composition for sale. In this case, however, a sample of 200 credit card holder’s data was verified, indicating this is real. The data liberated in this case included the credit card details excluding the three-digit CVV, and place of employment for the last ten years. While the affected persons do have a bit of good news with the CVV not being a part of this, they may still have been targeted for fraud due to the nature of the data itself.
After the bank was notified, they contacted reported this and is working closely with law enforcement and the Central Bank of Russia to find the culprits. As noted, this was beneficial as the
Auyezov, O., & Lyrchikova, A. (2019, October 3). Russia’s sberbank investigating potential client data leak. Retrieved from https://www.reuters.com/article/us-sberbank-russia-dataprotection/russias-sberbank-investigating-potential-client-data-leak-idUSKBIN1@i0Wl
Hinchliffe, R. (2019, October 9). Russia’s sberbank catches internal culprit of data leak. Retrieved from https://www.fintechfutures.com/author/hinchliffer/
Leprince-Ringuet, D. (2019, October 4). Russia’s sberbank investigates credit card data leak. Retrieved from https://www.zdnet.com/article/russieas-sberbank-investigates-credit-card-data-leak
Ljubas, Z. (2019, October 19). Russia: Huge data leak hits sberbank. Retrieved from https://www.occrp.org/en/daily/10797-russia-huge-data-leak-hits-sberbank
PMNTS. (2019, October 4). Russia’s sberbank investigating potential client data leak. Retrieved from https://www.pymnts.com/news/security-and-risk/2019/russias-sberbank-investigating-cleint-data-leak/
Spadafora, A. (2019, October 3). Russia’s sberbank hit with huge data leak. Retrieved from https://www.techradar.com/news/russias-sberbank-hit-with-huge-data-leak
The Moscow Times. (2019, October 3). Sberbank hit by huge data breach. Retrieved from https://www.themoscowtimes.com/2019/10/03/sberbank-hit-by-huge-data-breach-a67570
The Moscow Times. (2019, October 3). Sberbank hit by huge data breach. Retrieved from https://www.wedn.com/2019/10/03/sberbank-hit-by-huge-data-breach/
Walker, J. (2019, October 8). Sberbank of Russia completes investigation into the dark web data leak. Retrieved from https://portswigger.net/daily-swig/sberbank-of-russia-completes-investigation-into-dark-web-data-leak
About the Author - Charles Parker, II has been working in the info sec field for over a decade, performing pen tests, vulnerability assessments, consulting with small- to medium-sized businesses to mitigate and remediate their issues, and preparing IT and info sec policies and procedures. Mr. Parker’s background includes work in the banking, medical, automotive, and staffing industries.
Share on Facebook
Share on Twitter
I'm busy working on my blog posts. Watch this space!