The personal information of around 900,000 clients of the Russian banks OTP Bank, Alfa Bank and Home Credit Bank has become publicly accessible, reports Kommersant. Despite the fact that the databases were uploaded at the end of May, with data collected several years ago, a significant portion of the information is still correct.
Two data leaks concerning Alfa-Bank clients were picked up by experts from DeviceLock. One of the databases contains information on more than 55,000 clients, including full names, telephone numbers (mobile, home and work), and residential and work addresses. It can be dated to 2014-2015. In Autumn 2014, the bank carried out a mass layoff of the regional IT department, at which point the data could have leaked, later being distributed for a long time on the black market, explains DeviceLock founder and technical director Ashot Oganesyan.
The second database contains only 504 records, but dates to 2018-2019, and also includes information such as dates of birth, passport information, primary bank branches, and the account balances, which are limited to 130,000-160,000 rubles (around $2,000-2,500). This one may have been taken by an account manager, believes a bank employee specializing in fighting fraud. This is indicated by the small size of the database, and the fact that all clients in the selection have a limited account balance.
The first database of Alfa-Bank clients was uploaded in an archived form with two others that, according to their descriptions, contain information on clients from Home Credit Bank and OTP Bank. This one contains data on 24,400 clients, including names, passport details, telephone numbers, and a “limit” column, presumably the credit limit. The database marked as “OTPbank” and dating to 2013, contains information on 800,000 people throughout Russia, including full names, telephone numbers, postal addresses, approved credit limits and internal staff comments.
The citizens whose data has been compromised could be targeted by a wide array of scammers, warns Zecurion director Alexei Rayevsky. Pretending to represent the bank’s security service, the criminals could gain the victims’ trust by demonstrating their knowledge of personal information. The passport data could also be used for fraudulent purposes, the expert notes.