Russia's Sberbank investigating potential client data leak

MOSCOW (Reuters) - Russia’s biggest lender, Sberbank, is investigating a potential leak of its customers’ personal data, the bank said on Thursday, as the Kommersant newspaper reported that the leak may be the biggest ever in the history of Russian banking.

FILE PHOTO: A man takes a picture of the logo of Russian bank Sberbank on a screen during a session of the St. Petersburg International Economic Forum (SPIEF), Russia June 6, 2019. REUTERS/Maxim Shemetov

Sberbank said in a statement the leak could have affected at least 200 of its customers. According to the Kommersant report, 200 entries were just a sample offered to potential buyers by an unidentified online seller who claimed to have data on 60 million credit cards, including accounts and cards that have been closed. Sberbank currently has around 18 million active credit card customers.

Kommersant said its reporters had verified the database’s authenticity by asking the seller to provide information on themselves - which ended up being correct and up-to-date.

The seller was seeking 5 roubles ($0.08 per entry), according to the report.

Both state-owned Sberbank’s statement and the Kommersant report said the leak was most likely the work of an insider with criminal intent.

“...Accessing the database from the outside is impossible because it is isolated from external networks,” Sberbank said, adding that the leaked data could not be used to withdraw the customers’ money.

According to DeviceLock, a cybersecurity company which tipped off Kommersant about the Sberbank breach, sets of data on some of Russia’s largest banks are available on the online “black market” - but none of those is as big and comprehensive as the newly-leaked Sberbank data is presented to be.

Although it might not be a traditional hacking attack, the incident highlights growing cybersecurity risks faced by Russian banks and corporations.

“Nine million attacks a year, 30,000 a day - this is what the Rosseti group of companies deals with,” Pavel Livinskiy, the chief executive of Russian state-controlled electric grid company Rosseti, told an energy conference this week.

“Eighty percent of all successful attacks exploit human (rather than technical) vulnerabilities,” he said, adding that the Rosseti firm was spending about 2 billion roubles ($31 million) a year on cybersecurity, including personnel training.

Reporting by Olzhas Auyezov and Anastasia Lyrchikova; Editing by Elaine Hardcastle