New Sberbank Customer Data Leak Reported on the Darknet

On February 12, 2020, Russian media outlet “Izvestia” reported that two new dumps containing Sberbank customer data were discovered on the darknet. The leaked databases reportedly contain 20,000 and 100,000 records, respectively. Journalists from the publication verified a test fragment of the first database (10 records) and confirmed the authenticity of the information. Their analysis also showed that the data does not match previously leaked databases, indicating this is a new breach.

According to the seller, they are prepared to release 10,000 new records every week, selling each record for 35 rubles. The seller claims that the individuals in the database reside in regions with a +5 UTC time zone, specifically in the Ural and Volga Federal Districts of Russia.

Details of the Leaked Data

Each record in the database includes the name of the bank branch, full name, account number, passport details, date of birth, and phone numbers of the customers. Based on the abbreviated branch names, it appears that the affected customers received their cards in the Republic of Bashkortostan. The passport series matches the regional code (OKATO) for that area.

To verify the authenticity of the data, journalists checked the mobile phone numbers through the “Sberbank Online” app, which displays the first name, patronymic, and the first letter of the last name when a number is entered. Six out of ten records matched, three were not linked to the app, and one phone number showed a different name. Journalists were able to reach four people by phone, all of whom confirmed their names and dates of birth.

Expert Analysis and Bank Response

At the request of “Izvestia,” Ashot Oganesyan, CTO of DeviceLock, analyzed the test fragment and confirmed that the new database was not part of the mass leak reported by the media in October of the previous year. The new records have a different format, and the data that can be cross-checked (such as phone numbers) do not match those from previous leaks.

The DeviceLock expert suggested that the data may have been leaked by an insider—an employee with access to the bank’s information system or database server.

“Izvestia” also found another listing for Sberbank customer data (100,000 records) for sale. However, journalists could not verify the authenticity of this data, as the seller did not provide a test fragment.

Sberbank representatives stated that they have already investigated and concluded that the data found by journalists has been circulating on the black market for a long time and dates back to 2015-2016. “Every day, dozens of offers to sell databases of clients from various banks and companies appear online. We check all such information, including the one mentioned in the publication. The data in question had already been offered for sale on the dark web and relates to 2015-2016,” the bank’s press service said.