Cyber Attack
Cyber Attack
Cyber Attack
Monzo said that it normally stored PINs in a “particularly secure” part of its systems that
only select employees can access. However, on Friday, 2 August, it learned that it had been
recording some people’s PINs in a different part of its system.
Although the information was in encrypted log files, more than 100 Monzo engineers could
view the information.
The organisation has since deleted the data that was incorrectly stored, and updated its
apps to fix the issue.
NOVEMBER 18
On November 18, 2019, the Cayman National Bank and Trust Company confirmed it had
been breached and had confidential data stolen.
TARGET
INCIDENT
Method: Unknown
ACTOR
Attribution: Speculated
DESCRIPTION
On November 18, 2019, the Cayman National Bank and Trust Company confirmed it had
been breached and had confidential data stolen. The Cayman National Bank did not
elaborate on the extent of the breach but confirmed it was working with law enforcement.
This announcement corroborated an earlier claim by Phineas Fisher, a vigilante hacker
persona, who publicized the hack to encourage similar hacktivism. Phineas Fisher offered
$100,000 USD to hacktivists who breach and leak documents from bank, oil companies,
surveillance spyware vendors, and others.
6.Cardplanet Fraud
NOVEMBER 13
On November 13, 2019, the United States charged a Russian man for running ‘Cardplanet,’ a
card trading platform worth almost $20 million USD that buys and sells stolen payment card
details.
TARGET
Location: Unknown
INCIDENT
Method: N/A
Type: N/A
ACTOR
DESCRIPTION
On November 13, 2019, the United States charged a Russian man for running ‘Cardplanet,’ a
card trading platform worth almost $20 million USD that buys and sells stolen payment card
details. He is facing a number of charges including access device fraud, identity theft, and
computer intrusion.
OCTOBER 16
On October 16, 2019, it was reported that ‘BriansClub’, one of the largest underground
markets for stolen credit card and payment details, was hacked by a competitor who stole
26 million card details.
TARGET
Location: Unknown
INCIDENT
Method: Unknown
Type: Theft
ACTOR
Attribution: Speculated
DESCRIPTION
On October 16, 2019, it was reported that ‘BriansClub’, one of the largest underground
markets for stolen credit card and payment details, was hacked by a competitor who stole
26 million card details. The credit card data was added to BriansClubbetween 2015-2019,
representing 30 percent of the total cards that are currently being sold on the underground
market.
OCTOBER 4
On October 4, 2019, it was reported that Sberbank, one of Russia’s largest banks, was
investigating a suspected data leak that affected at least 200 customers, and potentially
data on 60 million credit cards.
TARGET
Location: Russia
Date Breach First Reported: 10/4/2019
INCIDENT
Method: N/A
Type: Data breach
ACTOR
Type: Insider
Attribution: Speculated
DESCRIPTION
On October 4, 2019, it was reported that Sberbank, one of Russia’s largest banks, was
investigating a suspected data leak that affected at least 200 customers, and potentially
data on 60 million credit cards. Sberbank is investigating an internal employee who may be
behind the compromise of the database. Sberbank is working with law enforcement to
investigate the incident further.
SEPTEMBER 23
On September 23, security researchers reported that North Korean hackers had developed
and inserted malware to steal payment information from Indian ATMs and banking
institutions.
TARGET
Location: India
Date Breach First Reported: 9/23/2019
INCIDENT
Method: Malware
Type: Espionage
ACTOR
Type: State-sponsored actor
Attribution: Speculated
DESCRIPTION
On September 23, security researchers reported that North Korean hackers had developed
and inserted malware to steal payment information from Indian ATMs and banking
institutions. The malware, known as ATMDtrack, began appearing on networks during the
summer of 2018 and is thought to be attributable to Lazarus Group, a hacking group that
has targeted banks, ATMs, and cryptocurrency exchanges in order to fund North Korea's
weapons of mass destruction program.
SEPTEMBER 16
On September 16, the European Central Bank (ECB) shut down its Banks’ Integrated
Reporting Dictionary (BIRD) site after routine maintenance uncovered a cyberattack
compromising the information of the site’s newsletter subscribers.
TARGET
Location: Europe
Date Breach First Reported: 9/16/2019
INCIDENT
Method: Unknown
Type: Data breach
ACTOR
Type: Unknown
Attribution: Unknown
DESCRIPTION
On September 16, the European Central Bank (ECB) shut down its Banks’ Integrated
Reporting Dictionary (BIRD) site after routine maintenance uncovered a cyberattack
compromising the information of the site’s newsletter subscribers. The ECB reported that no
market-sensitive data was compromised in the attack, and it planned to contact the 481
individuals whose names, email addresses, and titles may have been accessed by hackers.
SEPTEMBER 6
On September 6, 2019, Hong Kong Exchanges and Clearing Limited (HKEx), a Hong Kong-
based stock exchange, suffered a distributed denial-of-service attack (DDoS) and discovered
a technical bug, forcing them to suspend trading
12.BinanceRansomware
AUGUST 6
CLOSE
TARGET
Location: Multiple
Date Breach First Reported: 8/6/2019
INCIDENT
Method: Ransomware
Type: Unknown
ACTOR
Type: Unknown
Attribution: Unknown
DESCRIPTION
JULY 29
On July 29, Capital One announced that it had suffered a data breach compromising the
credit card applications of around 100 million individuals after a software engineer hacked
into a cloud-based server.
TARGET
INCIDENT
Method: Other
Type: Data breach/theft
ACTOR
Type: Nonstate actor
Attribution: High confidence
DESCRIPTION
On July 29, Capital One announced that it had suffered a data breach compromising the
credit card applications of around 100 million individuals after a software engineer hacked
into a cloud-based server. The applications contained names, dates of birth, credit scores,
contact information, and some American and Canadian social security numbers. The hacker
exploited a misconfigured firewall to gain access to a database of personal information
hosted by Amazon Web Services. Upon gaining access, the hacker posted about it on
GitHub, and an unidentified individual notified Capital One about the presence of the
database on GitHub. Authorities arrested one individual in connection with the data theft.
JULY 25
On July 25, security researchers found a file containing 250GB of personal and financial
information, mainly tied to Brazilian financial institution Banco Pan, exposed online.
TARGET
Location: Brazil
Date Breach First Reported: 7/25/2019
INCIDENT
Method: Unknown
Type: Data breach
ACTOR
Type: Unknown
Attribution: Unknown
DESCRIPTION
On July 25, security researchers found a file containing 250GB of personal and financial
information, mainly tied to Brazilian financial institution Banco Pan, exposed online. The
information, which Banco Pan claims is owned by a commercial partner, contained scans of
identification cards and social security cards, proof of address documents, and service
request forms.
15.Jana Bank Data Breach
JULY 23
On July 23, a security researcher reported that Jana Bank, an Indian small finance bank, left
exposed a database containing information on millions of financial transactions.
TARGET
Location: India
Date Breach First Reported: 7/23/2019
INCIDENT
Method: Unknown
Type: Data breach
ACTOR
Type: Unknown
Attribution: Unknown
DESCRIPTION
On July 23, a security researcher reported that Jana Bank, an Indian small finance bank, left
exposed a database containing information on millions of financial transactions. The Know
Your Customer verification database was not password-protected, allowing anyone to
access, alter, or download the information. Jana Bank immediately secured the database
upon learning of its exposure.
JULY 12
TARGET
Location: Japan
Date Breach First Reported: 7/12/2019
INCIDENT
Method: Unknown
Type: Theft
ACTOR
Type: Unknown
Attribution: Unknown
DESCRIPTION
JUNE 25
On June 25, Europol, British law enforcement, and Dutch law enforcement officials arrested
six individuals for cryptocurrency theft amounting to €24 million (over $26 million).
TARGET
Location:Multiple
Date Breach First Reported: 6/25/2019
INCIDENT
Method:Malware
Type: Theft
ACTOR
Type:Unknown
Attribution: Speculated
DESCRIPTION
On June 25, Europol, British law enforcement, and Dutch law enforcement officials arrested
six individuals for cryptocurrency theft amounting to €24 million (over $26 million). The
individuals used a technique known as “typosquatting,” in which they duplicated an online
cryptocurrency exchange to steal information and gain access to victims’ bitcoin wallets. The
attack affected more than 4,000 individuals in at least 12 countries.
18.Bangladesh Switch System Cyberattack
JUNE 22
In June 2019, at least three private Bangladeshi banks were compromised by major
cyberattacks, with one, Dutch Bangla Bank Limited (DBBL), losing as much as TK 25 crore
(around $3 million).
TARGET
Location: Bangladesh
INCIDENT
Method: Malware
Type: Theft
ACTOR
Type: Unknown
Attribution: Unknown
DESCRIPTION
In June 2019, at least three private Bangladeshi banks were compromised by major
cyberattacks, with one, Dutch Bangla Bank Limited (DBBL), losing as much as TK 25 crore
(around $3 million). Attackers deployed malware to duplicate DBBL's Switch payment
management system, allowing fraudulent financial transactions to be executed undetected.
NCC Bank and Prime Bank were also targeted, but both banks reported no financial losses
associated with the attack.
MAY 24
On May 24, First American Financial Corp. suffered a data breach compromising around 885
million files related to mortgage deeds.
TARGET
INCIDENT
Method: Unknown
ACTOR
Type: Unknown
Attribution: Unknown
DESCRIPTION
On May 24, First American Financial Corp. suffered a data breach compromising around 885
million files related to mortgage deeds. The documents, which dated back as far as 2003,
contained bank account numbers and statements, mortgage and tax records, social security
numbers, wire transaction receipts, and images of drivers' licenses. The documents were
accessible to anyone with a web browser because the company used a standard format for
document addresses, meaning that anyone with knowledge of at least one document link
could access others simply by modifying the digits associated with the record number.
Although the company took down the website, many of the pages remained accessible on
archive.org. As of August 2019, the U.S. Securities and Exchange Commission had begun an
investigation into the data breach.
MAY 16
On May 16, 2019, Europol, the U.S. Department of Justice (DoJ), and six other countries,
dismantled a group of international cyber criminals that used the GozNym malware to steal
over $100 million.
TARGET
Location: Multiple
INCIDENT
Method: Malware
Type: Theft
ACTOR
DESCRIPTION
On May 16, 2019, Europol, the U.S. Department of Justice (DoJ), and six other countries,
dismantled a group of international cyber criminals that used the GozNym malware to steal
over $100 million. The group stole from over 40,000 victims, including the bank accounts of
small businesses, law firms, international corporations, and nonprofit organizations.
Following a law enforcement investigation across the U.S., Bulgaria, Germany, Georgia,
Moldova, and Ukraine, ten members were charged for the crime. The leader of the network
was charged in Georgia while another was extradited from Bulgaria to the U.S. to face trial.
Although some members of the gang are still on the run, the initial charges have been seen
as a success for law enforcement in their efforts to combat international cybercrime.
21.FirstBank Breach
MAY 13
In May 2019, a Colorado bank suffered an external security incident resulting in the
cancellation and redistribution of customer debit cards.
TARGET
INCIDENT
Method: Unknown
Type: Unknown
Attribution: Unknown
DESCRIPTION
In May 2019, a Colorado bank suffered an external security incident resulting in the
cancellation and redistribution of customer debit cards. FirstBank, Colorado’s largest locally-
owned bank, issued a security notice on May 13 informing customers of the breach and
instructing them to report any suspicious behavior. The bank confirmed that the breach did
not occur on its online systems but from other merchants where FirstBank customers made
transactions.
MAY 2
In May, U.S. security company Proofpoint reported the return of the Retefe banking Trojan
in Germany and Switzerland.
TARGET
INCIDENT
Method: Malware
Type: Unknown
ACTOR
Type: Unknown
Attribution: Unknown
DESCRIPTION
In May, U.S. security company Proofpoint reported the return of the Retefe banking Trojan
in Germany and Switzerland. Retefe is a malware that installs the Tor internet browser to
redirect infected devices to spoofed banking sites. The Trojan is typically delivered through
email attachments and often attempts to trick users into downloading spoofed mobile
Android applications to bypass two-factor authentication.
In the past, Retefe campaigns have targeted several European countries. In November 2016,
Retefe targeted Tesco Bank and other UK financial institutions. In September 2017, an
updated version of Retefe leveraged the EternalBlue exploit in a campaign against Swiss
targets. Since April, the Trojan has reemerged in German and Swiss banks.
APRIL 4
On March 31, Mexican law enforcement arrested two senior members of a Romanian cyber
criminal group allegedly behind an ATM skimming operation in Mexico.
TARGET
Location: Mexico
INCIDENT
Method: Skimmer
Type: Theft
ACTOR
On March 31, Mexican law enforcement arrested two senior members of a Romanian cyber
criminal group allegedly behind an ATM skimming operation in Mexico. One suspect is
believed to be the head of Instacash, a fraudulent ATM service provider operating out of
Mexico. The head of Instacash allegedly bribed and coerced ATM technicians to install
sophisticated Bluetooth-based skimmers inside competitor’s ATMs, enabling the Romanian
cyber criminal group to steal PINs and card data remotely from ATMs throughout popular
tourist destinations in Mexico.
MARCH 22
In early 2019, the Royal Bank of Scotland’s (RBS) customer accounts were exposed to a
security flaw after introducing a new customer security service.
TARGET
INCIDENT
Type: N/A
ACTOR
Type: Unknown
Attribution: Unknown
DESCRIPTION
In early 2019, the Royal Bank of Scotland’s (RBS) customer accounts were exposed to a
security flaw after introducing a new customer security service. In January, RBS launched a
free endpoint security service for customers in partnership with Danish firm Hedimal
Security. While the security service was intended to detect threats and protect RBS
customers from attacks, researchers discovered a software flaw that enabled access to
customer emails, banking details and internet history. Hedimal Security has since released
an update to fix the security flaw and insisted that only 50,000 computers were effected.
They claim that there were no intrusions as a result of the security flaw.
MARCH 12
The Ursnif banking Trojan, which was discovered in 2007, was repurposed in a campaign
targeting Japanese banks that began in 2016.
TARGET
Location: Japan
INCIDENT
Method: Malware
Type: Unknown
ACTOR
Type: Unknown
Attribution: Unknown
DESCRIPTION
The Ursnif banking Trojan, which was discovered in 2007, was repurposed in a campaign
targeting Japanese banks that began in 2016. Ursnif, also known as Gozi ISFB, is a popular
malware that steals information on infected Windows devices. Ursnif has been deployed in
a new campaign that specifically targets banks in Japan. The malware terminates itself on
devices outside of the country. The campaign uses a distribution network of spam botnets
and compromised web servers to deliver the Trojan. Between 2016 and 2017, researchers at
Palo Alto Networks observed millions of infected emails sent to banks in Japan. Researchers
have not been able to identify the operation behind the campaign, but evidence suggests it
may be connected to the Cutwill Botnet, a cyber criminal operation active since 2007.
26.Bank of Valletta
FEBRUARY 13
On February 13, the Bank of Valletta (BOV), Malta’s largest and oldest bank, shut down
operations after an attempted theft of €13 million.
TARGET
Location: Malta
INCIDENT
Method: Unknown
Type: Disruption
ACTOR
Type: Unknown
Attribution: Unknown
DESCRIPTION
On February 13, the Bank of Valletta (BOV), Malta’s largest and oldest bank, shut down
operations after an attempted theft of €13 million. Attackers made multiple transfer
requests from the Maltese bank to accounts in the UK, United States, Czech Republic, and
Hong Kong. The bank’s employees discovered the fraudulent activity during their daily
reconciliation of international orders. Within the hour, BOV notified other banks in an
attempt to freeze the transactions. It also closed all its branches, shut down its ATMs and
point-of-sale system, and stopped all other electronic services, which were restored the
following day. In a statement, BOV said it was working with local and international police
authorities to track down the attackers. They also announced that customer accounts were
not effected in the incident.
FEBRUARY 8
Multiple credit unions in the United States were hit by spear-phishing emails impersonating
compliance officers from other credit unions.
TARGET
INCIDENT
Method: Phishing
Type: N/A
ACTOR
Type: Unknown
Attribution: Unknown
DESCRIPTION
Multiple credit unions in the United States were hit by spear-phishing emails impersonating
compliance officers from other credit unions. Under the Bank Secrecy Act (BSA), financial
institutions are required to have dedicated compliance personnel responsible for reporting
suspicious transactions and potentially fraudulent activity to the U.S. government. Emails
sent to these compliance officers contained a PDF with a malicious link. While it is believed
that no employee clicked the link, there is speculation as to how the attackers obtained the
email addresses of the compliance officers.
FEBRUARY 4
The State Bank of India, the country’s largest, has denied claims that its servers were
compromised during a recent intrusion.
TARGET
Location: India
INCIDENT
Method: Unknown
Type: Unknown
ACTOR
Type: Unknown
Attribution: Unknown
DESCRIPTION
The State Bank of India, the country’s largest, has denied claims that its servers were
compromised during a recent intrusion. Multiple media outlets reported an SBI server was
unprotected, and as a result attackers were able to gain access to the system and steal
users’ personal information. Despite the claims, the bank said their investigation revealed
that SBI’s servers remained fully protected and that no breach had occurred.
FEBRUARY 2
UK-based Metro Bank became the first major bank to suffer from a new type of cyber
intrusion that intercepts text messages with two-factor authentication codes used to verify
various customer transactions.
TARGET
INCIDENT
Method: Other
Type: Disruption
ACTOR
Type: Unknown
Attribution: Unknown
DESCRIPTION
UK-based Metro Bank became the first major bank to suffer from a new type of cyber
intrusion that intercepts text messages with two-factor authentication codes used to verify
various customer transactions. The attackers exploited flaws in the Signaling System 7 (SS7)
protocol, which is used by telecommunications companies to route text messages around
the world. A spokesperson for the bank stated that only a small number of those defrauded
were Metro Bank customers.
30. Chile ATM Attack
JANUARY 10
In December, hackers infiltrated Chile’s ATM interbank network, Redbanc, after tricking an
employee into downloading a malicious program during a fake job interview over Skype.
TARGET
Location: Chile
INCIDENT
Method: Other
Type: Espionage
ACTOR
Attribution: Speculated
DESCRIPTION
In December, hackers infiltrated Chile’s ATM interbank network, Redbanc, after tricking an
employee into downloading a malicious program during a fake job interview over Skype. It is
believed that the Redbanc employee saw a LinkedIn job advertisement and attended a
Skype interview where the attackers asked him to download a software program to submit
his application form. The attackers tricked the victim into downloading malware on his
system, giving them access to Redbanc’s network. Redbanc claims the event had no impact
on its business operations.
31.Fuze Cards
JANUARY 10
The U.S. Secret Service has identified a number of criminal rings turning to Fuze cards in an
attempt to avoid detection by U.S. law enforcement.
TARGET
INCIDENT
Method: Cards
Type: Theft
ACTOR
DESCRIPTION
The U.S. Secret Service has identified a number of criminal rings turning to Fuze cards in an
attempt to avoid detection by U.S. law enforcement. A Fuze card is a data storage device
that looks like a bank card, but can hold account data for up to thirty cards. Using smartcard
technology can help criminals avoid raising suspicions at payment points or if stopped by
authorities, as it reduces the need for them to carry large numbers of counterfeit cards on
their person.
32. Himalayan ATM Heist
SEPTEMBER 2
TARGET
Location: Nepal
Date Breach First Reported: 9/2/2019
INCIDENT
Method: Other
Type: Theft
ACTOR
Type: State-sponsored actor
Attribution: Speculated
DESCRIPTION