Banks are located throughout the world. They perform vital
services for consumers and commercial organizations in every country they are
located in. These are also connected with the respective nation’s banking systems.
Another commonality is these hold a mass amount of data also. This is very
attractive to the attackers for many reasons. This is also a concern for the
consumers, as their personally identifiable information (PII) is in the hands
of unauthorized persons. Sberbank is was targeted and data removed without
their authorization. Sberbank is Russia’s largest bank, with 45% of all retail
deposits within their bank and 41% of the consumer loans held. In this
instance, the Russian state owns the controlling stake in the bank.
Attack
Obviously, the attack was successful, which is a problem. The
organization estimates the breach occurred near the end of August 2019. The cause of this breach is unfortunately
somewhat common, in the US and abroad. With employees, there is always the chance
of the internal threat with the disgruntled, greedy, or unhappy employee. In this
case, the bank is reporting the breach of data was due to an employee’s intentional
acts. The bank noted it has to be an internal employee due to the data’s location
being impossible to breach.
Later, the speculation ended when the bank reported the
attacker had been apprehended. During the investigation, the employee had been
focused on and eventually confessed. The employee was the head of one of the bank’s
divisions. As part of their role, they had access to databases as part of their
position, which explains how this was exfiltrated given the data’s remote
location and access.
Data
With the attack, millions of Sberbank’s customer's personal
data was allegedly initially leaked. Fortunately for the affected persons, the
target was the data. The funds in the affected person’s account(s) were not
targeted. The bank initially estimated 60M Sberbank credit cardholders have
had their personal data stolen and was for sale on the dark web. This estimate
appears to have been a bit inflated, and the true number was far less, possibly
as low as 5k. The last reported sales price per entry at $0.08/record.
Surprisingly, the data leak and data for sale was not
noticed by the bank. For instance, even if the amount of data was the 5k of records,
seemingly this would have triggered some form of an alarm. After all, even a division
manager probably would not have a need to download 5k individual records. Their
position would be more engaged with summaries and forward-looking goals. This oversight
was noticed by DeviceLock Cybersecurity, a cybersecurity organization when they
noticed the data for sale on the dark web. At times, the seller may make
fantastic claims of the data composition for sale. In this case, however, a
sample of 200 credit card holder’s data was verified, indicating this is real. The
data liberated in this case included the credit card details excluding the three-digit
CVV, and place of employment for the last ten years. While the affected persons
do have a bit of good news with the CVV not being a part of this, they may
still have been targeted for fraud due to the nature of the data itself.
Follow-Through
After the bank was notified, they contacted reported this
and is working closely with law enforcement and the Central Bank of Russia to find
the culprits. As noted, this was beneficial as the
Resources
Auyezov, O., & Lyrchikova, A. (2019, October 3). Russia’s
sberbank investigating potential client data leak. Retrieved from https://www.reuters.com/article/us-sberbank-russia-dataprotection/russias-sberbank-investigating-potential-client-data-leak-idUSKBIN1@i0Wl
Hinchliffe, R. (2019, October 9). Russia’s sberbank catches
internal culprit of data leak. Retrieved from https://www.fintechfutures.com/author/hinchliffer/
Leprince-Ringuet, D. (2019, October 4). Russia’s sberbank
investigates credit card data leak. Retrieved from https://www.zdnet.com/article/russieas-sberbank-investigates-credit-card-data-leak
Ljubas, Z. (2019, October 19). Russia: Huge data leak hits
sberbank. Retrieved from https://www.occrp.org/en/daily/10797-russia-huge-data-leak-hits-sberbank
PMNTS. (2019, October 4). Russia’s sberbank investigating
potential client data leak. Retrieved from https://www.pymnts.com/news/security-and-risk/2019/russias-sberbank-investigating-cleint-data-leak/
Spadafora, A. (2019, October 3). Russia’s sberbank hit with
huge data leak. Retrieved from https://www.techradar.com/news/russias-sberbank-hit-with-huge-data-leak
The Moscow Times. (2019, October 3). Sberbank hit by huge
data breach. Retrieved from https://www.themoscowtimes.com/2019/10/03/sberbank-hit-by-huge-data-breach-a67570
The Moscow Times. (2019, October 3). Sberbank hit by huge
data breach. Retrieved from https://www.wedn.com/2019/10/03/sberbank-hit-by-huge-data-breach/
Walker, J. (2019, October 8). Sberbank of Russia completes
investigation into the dark web data leak. Retrieved from https://portswigger.net/daily-swig/sberbank-of-russia-completes-investigation-into-dark-web-data-leak