Bangladesh Cyber Security Intelligence in a blog post said that a threat actor breached City Bank data and sold the bank’s financial statements to underground hacking forums.
The blog post said that the government intelligence agency discovered the security breach on January 1–2 that exposed sensitive client data, reemphasising concerns about the cyber security practices of financial institutions in the country.
A threat actor is an individual or group of individuals seeking to breach or otherwise undermine an organisation’s systems and data security.
The BCSI blog post, published on Sunday, did not disclose the exact volume of client data that was breached or sold on underground forums, leaving the scale of the incident unclear.
A BCSI Crowdsourced Emergency Response Team contributor alerted the agency end of December 2024 that a threat actor sold City Bank’s client statements on underground hacking forums.
The BCSI in response launched a probe and confirmed that the threat actors claims.
The BCSI immediately notified the bank, said the blog post, adding, ‘City Bank acted quickly and fixed the vulnerability on January 3.’
¶¶Òõ¾«Æ· tried to reach the City Bank managing director and chief executive officer Mashrur Arefin over phone and text messages for comments but received no response.
The BCSI confirmed that the hackers had used a technical flaw in the bank’s system to access sensitive client information.
The BCSI in the blog post said that the flaw in the City Bank’s cyber security system was part of a bigger issue with weak cyber security in many Bangladeshi banks that relied on out-dated security testing.
Earlier in mid-2024, the BCSI warned City Bank about significant vulnerabilities in their system.
‘Our researchers demonstrated how attackers could exploit these weaknesses to withdraw client balances and access sensitive information. City Bank quickly fixed the immediate issues to secure their systems or so it seemed,’ the blog read.