16791320 customer information sold on the dark web? Bank of Communications issued an urgent statement

A recent public statement issued by the Bank of Communications has once again aroused public concern about the security of financial data.

Recently, a hacker posted on a forum on the dark web saying that the Bank of Communications suffered a hacker attack and a large amount of information was leaked. The hacker sold these so-called “ultra-fresh data” at a price of 8.8 BTC (approximately 2.2 million yuan).

In its statement, Bank of Communications denied the authenticity of the data. The Bank of Communications said: “After system verification and comparison, it is confirmed that it does not match the actual customer information of Bank of Communications.” However, there are still netizens who are very puzzled and comment on relevant news: “How did that (data) come from?”

Some professionals told Sina Financial Research Institute that, in fact, there is basically no absolutely safe way to protect user information. It is worth noting that in December last year, Guo Shuqing, Chairman of the China Banking and Insurance Regulatory Commission, said that the regulatory authorities are studying and formulating financial data security protection regulations to build more effective protection mechanisms to prevent data leakage and abuse.

Bank of Communications urgently refutes rumors

What triggered this wave of public refutation of Bank of Communications was the news that customer information was sold on the dark web.

Recently, it was reported that on January 8, a hacker posted a post on a foreign forum. In January 2021, “China Bank of Communications” was attacked by hackers, resulting in a large amount of information being leaked and sold. The total number of leaked data was 16,919320, and the selling price was " "8.8BTC" was hung on a certain website, and the seller left contact information.

According to the data from Coingecko at the time, the price of Bitcoin was $35121.79, so the hacker asked for about $310,000, or about 2.2 million yuan. Currently, the relevant content has been deleted from the original forum.

In the afternoon, Bank of Communications issued a public statement on its official website and Weibo to urgently refute the rumors.

The Bank of Communications stated that it has recently monitored that criminals have posted on the dark web to sell so-called Bank of Communications customer information, and some have forwarded relevant information from the media. After system verification and comparison, it was confirmed that it was inconsistent with the real customer information of Bank of Communications.

Bank of Communications solemnly declares that there is no hacking or leakage of customer information. Bank of Communications has reported relevant violations to the public security department, and pursued legal responsibility for the damage to Bank of Communications’ goodwill in accordance with the law.

The Bank of Communications further stated that the bank has always attached great importance to data security protection and has effectively guaranteed customer information security by deploying multi-level cyber security defense-in-depth measures. "Our bank will actively cooperate with relevant departments to crack down on illegal acts of forging and selling citizen information and maliciously spreading rumors to disturb the financial order." The Bank of Communications said.

Why do hackers "look at" banks?

In fact, this is not the first time hackers or dark web sellers have targeted financial institutions.

In April last year, there was an online news that millions of pieces of data from a number of financial institutions were suspected of being trafficked in overseas hacker forums, involving many domestic financial institutions such as Ping An, Shanghai Pudong Development Bank, Industrial Bank, and China Merchants Bank.

In the last suspected information leak, the source of the information was RAID FORUMS, an overseas hacker forum. At that time, the data vendor claimed to have 460,000 personal data of Industrial Bank credit card users, 100,000 Shanghai Pudong Development Bank user data, 100,000 China Ping An Insurance data, 63,000 Shanghai China Merchants Bank gold card list data and Shanghai Bank user data.

At that time, in response to online customer data being peddled, Shanghai Pudong Development Bank stated that after investigation and comparison, the relevant data did not contain the bank's account information and did not match the bank's customer information elements. It is not ruled out that criminals will sell data from unknown sources in the name of financial institutions in order to obtain illegal benefits.

Bank of Shanghai and Industrial Bank also confirmed that the so-called "bank customer information" did not match the bank's actual customer information elements. Ping An of China responded that after investigation, the relevant customer information was not a company customer and was forged by criminals.

Why do criminals always look at the banks, and why do the banks always deny it?

"Financial data is the most valuable." An analyst told Sina Financial Research Institute. He pointed out that the value of financial data is very high, and once it is sold, it will cause greater harm. Therefore, banks are very sensitive to customer information.

"Bank customer information sold on the dark web is nothing more than internal outflows or system vulnerabilities being stolen. Both of these situations are detrimental to the bank. Banks must generally deny them unless they are confirmed." The analyst said. .

Financial data security protection regulations to be promulgated

In recent years, personal information leakage and financial data security issues have increasingly become a hot spot of social concern.

Someone engaged in information security work told Sina Financial Research Institute that in fact, there is basically no absolutely safe way to ensure user information security. "Because many mistakes are human errors, which cannot be solved technically." He said.

He gave an extreme example: "If someone throws a USB flash drive with a virus that steals information into a company canteen, and the person who finds it thinks it was lost by someone else, he just plugs it in to see what it is. This is also difficult afterwards. Tracking down, because there is a time lag between virus implantation and information theft."

In fact, domestic commercial banks have also paid attention to the security of financial information and data, and more and more banks have adopted methods such as setting up intranets and restricting equipment to strengthen protection measures.

"Our bank's office does not have Wi-Fi, and non-registered devices are not allowed to access the network. Employees are also not allowed to use non-certified software or non-certified U disk to transmit information." An employee of a large state-owned bank said.

It is worth noting that on December 8 last year, Guo Shuqing, Chairman of the China Banking and Insurance Regulatory Commission, gave a speech at the 2020 Singapore Fintech Festival that China’s financial technology application as a whole is “crossing the river by feeling the stones” in terms of legal regulations and risk supervision. Many problems have been encountered and some lessons have been accumulated.

When talking about the experience and lessons of responding to the challenges of financial technology, Guo Shuqing said that supervision should "make up for loopholes in the data privacy protection system."

“Some technology companies take advantage of the market to excessively collect and use corporate and personal data, and even steal data. These behaviors are not fully authorized by users, and seriously violate corporate interests and personal privacy.” Guo Shuqing said: “For this reason, the Civil Code clearly states In order to ensure that personal information is protected by law, the "Personal Information Protection Law (Draft)" was formulated at the national level, and the regulatory authorities are studying and formulating financial data security protection regulations to build more effective protection mechanisms to prevent data leakage and abuse."