City Bank data breach: Client financial statements sold on underground forums
In a significant cybersecurity breach, City Bank in Bangladesh has had sensitive client financial statements exposed and sold on underground hacking forums, according to a recent blog post by the Bangladesh Cyber Security Intelligence (BCSI).
BCSI confirmed the incident in early 2025, raising serious questions about the state of cybersecurity within the nation's financial institutions. Following the discovery of the breach, BCSI notified City Bank, prompting the institution to address the vulnerability immediately. By 3 January 2025, the issue had been resolved.
For all latest news, follow The Daily Star's Google News channel. Previously, in mid-2024, BCSI had warned City Bank about vulnerabilities in its systems, highlighting potential exploitation risks. Researchers demonstrated how attackers could withdraw client funds and access sensitive information. While City Bank reportedly addressed the immediate issues, subsequent events suggest these measures were insufficient, as per BCSI's blog.
In December 2024, a CS-CERT contributor alerted BCSI to a threat actor advertising City Bank's client statements for sale on underground forums. An investigation confirmed the legitimacy of these claims, identifying a vulnerability that allowed unauthorised access to client statements.
According to BCSI, the breach was facilitated by technical flaws in session management. This involved Attackers bypassing weak multi-factor authentication (MFA) due to inadequate session handling. Once logged in, previously authenticated sessions could be reused to access other accounts.
Moreover, session tokens were not properly invalidated, enabling unauthorised access to other accounts once a session was compromised. This oversight allowed the attackers to retrieve sensitive client information without additional authentication, exploiting a critical gap in the bank's cybersecurity infrastructure.
The incident highlights a broader issue within Bangladesh's financial sector. A 2024 BCSI report titled, "Financial Threat Assessment 2024: National Security is at Risk", criticised traditional penetration testing methods still employed by many institutions. These approaches often fail to detect critical vulnerabilities, leaving banks exposed to sophisticated cyberattacks.
BCSI has called for enhanced cybersecurity practices, including robust access controls, data protection measures, network security, employee training, and compliance with international regulations.
Upon contacting, City bank has stated that they do not have any official statements as of yet regarding the matter.
Comments