Support The Moscow Times!

Sberbank Hit by Huge Data Breach

Millions of customers’ data found on black market in Russian banking’s largest ever cybersecurity leak.

Details of up to 60 million Sberbank credit cards have appeared for sale on the black market Kirill Zykov / Moskva News Agency

The personal details of millions of Sberbank customers may have been leaked, in what would be the largest-ever data breach in Russian banking, according to cyber security experts.

Analysts at cybersecurity firm DeviceLock found personal information relating to up to 60 million Sberbank credit card holders for sale on the black market. They were able to analyse the data of around 200 supposed customers — provided to them by the seller — and verified their authenticity. 

Russian newspaper Kommersant further verified some of the data by successfully finding the credit card details of its own journalists in the database, including personal details such as their place of employment for the last three years.

“This is the largest and most detailed banking database that has ever appeared on the black market,” DeviceLock founder Ashot Oganesyan said.

“In the world ranking of bank leaks, this can be considered a large incident. For the Russian market, this is an absolute record, at least for the last ten years,” he told The Moscow Times.

The data appeared for sale on a website which is blocked by Russia’s communications regulator Roskomnadzor. It is thought the data breach could have occurred at the end of August.

Sberbank confirmed that the data of “at least 200 clients” has been leaked, saying that the leak must have come from a bank employee. They said customer funds were not at risk.

In an official statement on its website the Bank said:

“At the moment, an internal investigation is being carried out and its results will be reported in the future. The most likely explanation of the incident is the deliberate criminal action of an employee, as external penetration into the database is impossible due to its isolation from the external network. The stolen information, in any case, does not threaten the safety of customer funds,” the statement added. 

Specifically, Sberbank told Kommersant that since the leaked information does not contain the credit cards’ three-digit CVV codes, and that customers also require a verification code through text message to make online payments, customers are not at risk of fraud.

However, Oganesyan told The Moscow Times that Sberbank customers have been left exposed to “various types of fraud” as a result of the leak. He highlighted telephone fraud in particular, citing an incident earlier this year where Sberbank customers were called by fraudsters pretending to represent the bank.

Sberbank is Russia’s largest bank, holding 45% of all retail deposits and providing 41% of all consumer loans. The Russian state owns a controlling stake in the bank.

… we have a small favor to ask. As you may have heard, The Moscow Times, an independent news source for over 30 years, has been unjustly branded as a "foreign agent" by the Russian government. This blatant attempt to silence our voice is a direct assault on the integrity of journalism and the values we hold dear.

We, the journalists of The Moscow Times, refuse to be silenced. Our commitment to providing accurate and unbiased reporting on Russia remains unshaken. But we need your help to continue our critical mission.

Your support, no matter how small, makes a world of difference. If you can, please support us monthly starting from just $2. It's quick to set up, and you can be confident that you're making a significant impact every month by supporting open, independent journalism. Thank you.

paiment methods
Not ready to support today?
Remind me later.

Read more