MTS Bank leaked personal data of 1 million cardholders

Attackers published a database of 1 million MTS Bank cardholders. Personal data of clients, including tax identification number and citizenship, as well as incomplete bank card data and their expiration dates, were leaked into the network. According to experts, the incident could have occurred due to the transfer of part of the company’s work to outsourcing. They also suggest that the leak could have affected data from other parts of the MTS ecosystem. The bank itself claims that the published database contains card data from different issuers, and considers a possible leak from a retailer or digital service.

A database of more than 1 million MTS Bank clients began to be distributed in Telegram channels, while the attackers in the announcement claim that in total they gained access to the data of 21 million people. The archive consists of three files, one of which contains general data about cardholders (full name, telephone numbers, TIN, citizenship). The other two are the partial bank card number (first six and last four digits), issue and expiration dates, and card type (debit, credit, corporate). The third file also contains 50 thousand unique email addresses of holders.

The authenticity of the leak is confirmed by DLBI founder Ashot Hovhannisyan. “The composition of the data suggests that the leak probably occurred from the client or marketing unit, and most likely from an outsourcing call center or IT contractor,” says the expert. Hackers likely gained access to the backup storage or database server.

Some time ago, MTS Bank put cybersecurity outsourcing up for tender. “No bank in Russia has ever dared to do this,” notes Fedor Muzalevsky, director of the technical department of RTM Group.

MTS Bank told Kommersant that the leak of banking secrets was not confirmed, the information presented in the database does not allow attackers to carry out financial transactions on behalf of bank clients, their accounts are not in danger.

“A check of the database showed that it contains personal data of citizens and masked bank card numbers (a security measure in which the bank card number is partially visible) issued by various banks,” the credit institution notes. “The presence of cards from various issuers in the database indicates the fact that the leak did not occur in a specific bank, but, presumably, at a retailer or digital service provider that stores and processes data in exactly this form.” The MTS Bank infrastructure was not attacked, they say.

According to the bank’s reporting for 2022, the number of its clients exceeds 3.5 million people. The stated number of victims of 21 million people may indicate that hackers took over the database of clients of various businesses of the MTS group, according to InfoWatch Group. Only MTS mobile subscriber base in the first quarter of 2023 amounted to 79.8 million people.

The pro-Ukrainian Russian-speaking hacktivist group NLB (Nice Leak Bro) claimed responsibility for the leak.

The attackers write in the ad that the bulk of the leak will be put up for sale. Price not specified. As a rule, NLB does not make money from leaks, notes a Kommersant source in the cybersecurity market, “but they strive to cause the greatest damage to companies and their clients.”

Since the spring of 2022, the group has been actively attacking financial corporations, IT companies in the e-commerce sector and retailers; their targets included at least fifty organizations. For example, this year NLB hacked the hypermarket chain Auchan, Your House, Sberbank services and other large companies, most of the incidents were confirmed (see. “Kommersant” dated June 6).

Since the database contains parts of the card numbers, as well as the holder’s details, it is quite suitable for telephone scammers, says Ashot Oganesyan. “It does not contain data on fund balances or money turnover, but there are enough schemes that allow criminals to get by with a small amount of data,” says the expert. In his opinion, the number of fraudulent calls, phishing emails and spam for bank clients will increase.

A set of leaked information from MTS Bank opens up many opportunities both for imposing various services on victims and for fraud, confirms Andrey Arsentyev, head of analytics and special projects at InfoWatch Group. “After this leak, we should expect more intense phishing attacks on customers throughout the MTS ecosystem.” RTM Group is also confident that the incident “causes direct reputational damage to the bank,” he says.

Tatiana Isakova, Yulia Poslavskaya