“Rumors and conjectures”: Sberbank commented on media reports about the leak of customer data

Sberbank denied media reports about the leak of personal data of customers, explaining that neither the bank nor its subsidiaries had anything like that.

“All official information on this topic was published by the bank earlier. We do not comment on information that belongs to the category of rumors and speculation, ”RIA Novosti quoted the bank’s press service as saying.

Arseniy Poyarkov, member of the State Duma’s expert council on digital economy, president of the BusinessDrom analytical agency, told the agency that this could include outdated customer data.

“Since the beginning of 2019, Sberbank has made a lot of efforts to maintain the confidentiality of customer data. Now it’s become much more difficult to get wholesale arrays of information on the client base than before, therefore, most likely, we can talk about outdated databases that they want to implement before they finally lose their relevance, ”Poyarkov noted.

Leak data

Earlier, Russian media reported that a database of personal data of Sberbank customers was put up for sale on the black market. According to the publication Kommersant, the proposal appeared on the network on October 13. The database contains about 1 million lines with information about the passport, registration, phone number, accounts, the balance or debt of customers who have a loan or credit cards of Sberbank. In addition, it is alleged that the leak contains a record of the last telephone conversation of customers with the bank's call center.

• © Alexey Sukhorukov / RIA News

Representatives of the publication contacted the seller of the stolen database. According to him, it allegedly contains relevant data accumulated since 2015, it is updated weekly. The cost of one line is 30 rubles. In this case, the seller said that he was only a reseller.

Izvestia’s material states that the database that has entered the shadow market contains information about 11.5 thousand Sberbank customers.

Incident investigation

In early October, a leak of personal data of Sberbank credit card holders was reported. The Kommersant publication then stated that about 60 million credit cards appeared on the black market. According to the publication, a potential seller offered to buy a trial fragment of the database of 200 lines.

An investigation was initiated at Sberbank. As a result, an employee born in 1991 was detained, who gave a confession. The attacker turned out to be the head of the sector in one of the organization’s business units.

“It was additionally established that at the end of September, the employee who committed the crime sold several thousand tranches of one of the criminal groups in the shadow Internet, in total 5 thousand credit card accounts of the Ural Bank of Sberbank, a significant number of which are outdated and inactive,” Sberbank.

According to the results of the investigation, law enforcement agencies together with the Sberbank security service seized all the stolen information. Cards in the criminal database were reissued. The bank emphasized that there is no threat to customers.

“We have made serious conclusions and radically strengthened the control of access to the work of our systems for bank employees in order to minimize the impact of the human factor,” said then the head of the bank, German Gref.

In October, media outlets also reported a leak of customer data from GreenMoney microfinance company. In general access were more than a million credit histories of Russians. The organization itself said that we are talking about several dozen records. It was possible to establish that the cause of the leak was the incorrect use of the software. The problem was resolved after an independent cybersecurity researcher Bob Dyachenko contacted the Bureau of Credit Histories.

Strengthening Responsibility and Improving Security

After the investigation and the detection of the attacker among the employees of Sberbank, its head German Gref proposed to tighten the liability for the theft of personal data of bank customers.

“Today, the person who stole the wallet with a thousand rubles is more severely liable than the person who stole the data and allowed to steal money from thousands of people,” Gref said.

According to him, it is also necessary to change the procedural legislation, which will quickly record the fact of theft, as well as expand the description of the crime in the Criminal Code.

In addition, Sberbank said it was preparing a comprehensive proposal to improve its security system.