Alfa Bank customer data sold on the black market

Part of the affected cardholders have already begun to call scammers.
Origin source
At a specialized forum, the data on Alfa-Bank credit card holders was put up for sale. The bank confirmed the leak, saying that it affects a small number of customers and does not pose a threat to the money in the accounts.

The data of Alfa-Bank credit card holders, as well as Alfa Insurance customers were put up for sale. The seller, who published the corresponding announcement on one of the specialized forums, said that he has up-to-date data on about 3.5 thousand customers of Alfa Bank and about 3 thousand customers of Alfa Insurance. The announcement was published on October 31, the seller registered on the same day, made sure RBC.

What data sell

The free sampler contained 13 Alfa Bank customer agreements and ten Alfa Insurance client agreements. The agreements contain a full name, mobile phone number, passport data, registration address, the amount of the credit limit or insurance issued, the subject of insurance, as well as the date of conclusion of the agreement. According to the seller, all the Alfa-Bank agreements that he has at his disposal were drawn up in October, and the base was unloaded on October 22. Alfa Insurance contracts are executed on the same day - May 8, 2019.

RBC checked the customers of Alfa Bank. When trying to transfer money to them through a mobile application by phone number in 11 cases out of 13, the names, patronymics and first letters of last names in the application coincided with those specified in the agreement, the remaining two phone numbers are not linked to the bank card. Up to nine customers managed to get through: most of them, including those who could not be verified through the mobile application, confirmed that they had recently issued a credit card at Alfa Bank. One of the clients had already managed to call scammers, he blocked the card.

Customer data specified in Alfa Insurance contracts have not been confirmed as a result of verification. Part of the contracts does not contain a full name or phone number, several more contain erroneous patronymics and the subject of insurance. They managed to get through only four out of ten numbers, none of the interlocutors were able to fully confirm the information or refused to speak at all.

The representative of Alfa Bank confirmed to RBC the fact of the distribution of personal data of a small number of customers. “At the moment, it is reliably aware of the illegal distribution of personal data of 15 clients,” he said. The Bank is conducting an internal investigation “to identify the extent of the incident and the circumstances as a result of which such data became available to third parties”.

“It has been reliably established that the occurrence of this situation is not the result of a violation of the protection of the bank's corporate information system. A leak does not endanger the funds in customer accounts, since it does not contain any data necessary to access the accounts, ”the representative of Alfa Bank emphasized.
Contracts do not contain card numbers and CVV codes, so scammers will not be able to get direct access to money. However, they can use the information to, for example, call the client under the guise of a bank and find out the necessary information to steal money. When communicating with customers, banks never ask for such information. If such a call arrives, you must call the bank back at the number indicated on the website or on the card.

A representative of AlfaStrakhovaniya told RBC that the company “is aware of the facts of posting ads on the Internet about the sale of data on electronic device insurance contracts”. AlfaStrakhovanie has already introduced additional security measures, now it is conducting an investigation and checking the published data. “Further measures that the company will take will be determined based on the results of the investigation,” he added. The Central Bank does not comment on existing market players.

Not the first leak

Sberbank also encountered leaks of information about its customers this fall. In early October, the data of his credit card holders leaked to the Network. The seller claimed that he had about 60 million records at his disposal, Sberbank confirmed the leak of data of 5 thousand customers.

Later, another seller on the profile forum put up for sale, according to him, the data of 11.5 thousand customers of the bank. He was soon detained. It turned out that the leak occurred from the collection agency “National collection service”, with which Sberbank collaborated (after the leak, the bank announced the termination of the contract).

In total, for the first half of 2019, about 1.5 thousand announcements on the sale of databases of clients of financial institutions were posted on the Network, the Central Bank revealed. This information can be used by scammers for social engineering - this type of fraud became the most popular in 2018: 97% of cases of embezzlement of funds from individuals' accounts were connected with it.

How and why data leak

The discharge of data from both Alfa Bank and Alfa Insurance to the black market could be made by the same person - a bank employee, and from the lower level, a source close to the Central Bank told RBC. “Most likely, he was sitting on the processing of these agreements and decided to merge them into the black market in order to earn money,” the source suggested.

Such leaks can occur for various reasons, says Aleksey Sizov, head of the Anti-Fraud Department of the Application Security Systems Center at Jet Infosystems. The most common scenario is a leak from an additional bank office. A less likely option is a large data leak from the archive. Judging by the open statistics on criminal cases and the nature of the documents, the source of the leak could be employees of the credit department or the pre-trial debt settlement department, said Ilya Tikhonov, head of the audit and compliance department of Softline information security department: they have access to various bases for checking customers.

“Such data can be used in various ways: they can be used by fraudsters who contact potential victims on behalf of the bank to steal funds, or competitors who, on the basis of knowledge about the services used, offer people more favorable conditions,” Tikhonov said. Leaks from large banks are not uncommon, there is a steady demand for them, so “there will always be people ready to find them,” he adds.

The risks of compromising small amounts of data are relevant for any bank, especially when the source of the leak is one employee, says Sizov. “Protecting yourself from the loss of customer data served by one operating employee is an extremely difficult task, and [it] lies not only in the plane of information security, but rather in physical protection, video monitoring methods and internal mode,” he points out.