Sberbank handed over its customers to scammers

German Gref’s 60 million credit card data has hit the black market. This is the largest banking leak in the history of Russia.
The personal data of Sberbank clients turned out to be on the black market. Merchants claim that they own data on 60 million credit cards, both valid and closed (the bank now has about 18 million active cards). The leak could have occurred in late August. Experts who have read the data consider them to be genuine and call the leak the largest in the Russian banking sector. Sberbank promises to verify the authenticity of the database, but claims that there is no threat to customers ’funds.

The announcement of the sale of a “fresh base of a large bank” appeared last weekend at a specialized forum blocked by Roskomnadzor. According to the seller, he sells data on more than 60 million credit cards. The first to notice the announcement and attracted the attention of Kommersant was the founder of DeviceLock Ashot Hovhannisyan. The seller offers potential buyers a trial fragment of the base of 200 lines. Kommersant studied it.

The fragment contains data of 200 people from different cities, which are serviced by the Ural Territorial Bank of Sberbank.

The table contains, in particular, detailed personal data, detailed financial information about a credit card and transactions. The date of the leak, which may indicate the date of the leak, is indicated on August 24, 2019. It also contains the words way4 or w4, which may refer to the Way4 processing platform, which Sberbank has been using for about ten years.

To verify this data, Kommersant found clients from the “probe” in social networks, and also studied information on card and phone numbers in the Sberbank mobile application, which, when transferring funds, allows you to see some of the information about the recipient’s full name. The amount of information claimed by the seller (60 million lines) may indicate that the leak affected the data on all credit cards of the bank.

According to the seller, the base is divided into 11 parts (this is exactly how many Sberbank has territorial banks), and it sells each line for 5 rubles. To test the hypothesis, Kommersant’s correspondents asked to find their data in the database. The seller provided information about the credit cards of correspondents, including at their previous places of work, which have changed over the past three years. The numbers of the credit card opening agreements and the names of the employees who signed them coincide.

A Kommersant source close to the Central Bank, having studied the “probe”, expressed confidence that it was “unloading the base” of Sberbank, and not, for example, “breakdown” obtained as a result of bribing employees. According to other Kommersant interlocutors, information security specialists at large banks, judging by the nature of the test file, the leak could have occurred from the bank.

“The data can be from the data warehouse of all systems, there is all the information about customers,” Kommersant’s source said in a large bank. “A database leak from any of the partners seems unlikely, judging by the set and amount of data.” According to another source, the information is similar to unloading data from the repository by someone who had administrative access, "this is indirectly indicated by the fact that the bank card numbers in the database are not masked." Another expert noted that, purely theoretically, such data can be obtained by gluing data from the point of issuing cards and data from processing, but in this case this is unlikely, given the amount of data. “If it’s a fake, it’s very high quality,” another expert said.

Ashot Hovhannisyan claims that DeviceLock analyzed about 240 records out of the estimated 60 million and “can confirm that they contain data of real people who have card accounts in Sberbank”. In his opinion, the database may be a saved copy (full or not) of the Way4 product database.
This is the largest and most detailed banking database that has ever come to us from the black market, ”said Mr. Hovhannisyan.“ The set of fields is really amazing. ”

In his opinion, the consequences of the leak will be noticeable for the entire industry. She will deal with the Central Bank and Roskomnadzor and, most likely, law enforcement agencies. If there are residents or EU citizens among the clients, then the bank, in accordance with the GDPR law, will have to notify the European Commission about the incident, Mr. Hovhannisyan points out.

The Central Bank did not respond to a request from Kommersant. In Roskomnadzor promise "within its competence" to verify information about a possible violation of the legislation on personal data. “Response measures will be taken after the establishment of signs of violations,” the agency said.

While the article was being prepared for release, Sberbank issued a press release informing about the possible leakage of personal data of 200 clients and an internal investigation launched. At the same time, the bank claims that no external cyber attacks were recorded. The main version of a possible incident there is called the deliberate criminal actions of one of the employees.

Additionally, Sberbank explained to Kommersant that the authenticity of the information is being studied and so far there is no clarity whether it is genuine or not. A representative of Sberbank said that data leakage through external hacking of systems is impossible in principle, since all customer databases are completely isolated from the external network. If the information about the leak is confirmed, it could be possible only as a result of deliberate criminal actions of one of the bank employees. “A thorough investigation will be carried out, its results will be announced,” Sberbank promised. They emphasized that the declared volume of compromised cards "is impossible, since the total volume of active credit cards is several times smaller."

The bank assured that there was no threat of debit of funds from the cards not authorized by customers.

The stolen information will not allow criminals to write off money from customers' cards, since it does not contain CVV codes, they explained there, and in addition, every transaction without presenting a card in Sberbank is confirmed by a one-time SMS password.