Russia's Sberbank investigates credit card data leak

Bank says data on at least 200 customers has leaked; a security company said it is many more.
Written by Daphne Leprince-Ringuet, Contributor

Russia's largest bank, Sberbank, is investigating a potential leak of credit card data, saying that 'criminal wrongdoing' by an employee is currently their main lead.

The bank said that an internal investigation was underway and that at least 200 client accounts could be affected. 

"An internal investigation is underway. Its results will be unveiled in a separate statement. A criminal wrongdoing of an employee is the primary lead," the bank said.

SEE: Can Russian hackers be stopped? Here's why it might take 20 years (TechRepublic cover story) | Download the PDF version

But the Kommersant newspaper said that information relating to up to 60 million credit card holders was apparently now for sale on the black market, and that those 200 accounts were offered only as a sample to trial for potential buyers. 

Kommersant said its reporters had asked the seller to provide information relating to their own accounts to verify the database's authenticity, including details of financial transactions or places of employment, and had been able to confirm it. 

Alexander Vedyakhin, deputy chairman at Sberbank's executive board, said: "Sberbank is working closely with law enforcement bodies and the Central Bank of Russia to solve the crime as soon as possible."

If the scope of the leak is accurate, this would be a significant attack on the state-owned bank. It currently has around 18 million active credit card users. 

SEE: Over 23 million stolen credit cards are being traded on the Dark Web

Ashot Oganeysan, founder of security company DeviceLock, which found the data online, told The Moscow Times: "This is the largest and most detailed database that has ever appeared on the black market."

Sberbank said it was likely that an insider was involved "as no breach could have occurred from the outside – the database is isolated and has no outer network access." It insisted: "The stolen information won't affect the safety of clients' funds."

Editorial standards