Cybercriminals claim to be selling the personal details of as much as 93% of Ukraine’s population in a dataset supposedly stolen from the country’s scandal-ridden, largest public lender, PrivatBank — something the bank has been quick to describe as incredulous, even impossible.
The purported cache of sensitive information, which was listed via the online marketplace Raid Forum on February 8, allegedly contains bank customers’ full names, dates of birth, passport numbers and contact details.
The anonymous vendor claims this data relates to more than 40 million customers at PrivatBank. Ukraine has a population of 43 million people.
However, a reported internal investigation at the lender has called the veracity of the vendor’s claims into serious doubt.
A PrivatBank representative told cybersecurity research and analysis outfit CyberNews that since 2017, the bank had not recorded a single breach or incident in which information was transferred from its database.
The numbers also don’t add up: When PrivatBank was nationalized in 2016, the lender had just 20 million customers.
“We were pleasantly surprised that 40 million people were attributed to the number of the bank’s clients, but this figure exceeds the total number of the country’s adult population,” the representative reportedly said.
The online vendor has been granted “trusted status” by Raid Forum, indicating that customers have not had problems buying from them before.
They are currently selling the alleged dataset at a going rate of US$3,400 in BitCoin.
It does not appear the vendor has yet made any sales, but there remains a possibility they may be hiding these by generating a new platform for receipt of payment each time.
This isn’t the first time PrivatBank has encountered trouble — supposed, or actual — from cybercriminals.
In 2016, the bank allegedly lost more than $10 million after hackers were able to exploit a loophole in the SWIFT banking system.
This is an ordinarily secure network that allows more than 10,000 financial institutions around the world to send and receive information about monetary transactions.
Earlier in 2014, pro-Russia hacker group CyberBerkut mined customer data from the bank’s records before publishing the information via Russian social media.
Nor is it merely cybercriminals who have sought to profit from PrivatBank via deceptive means.
The lender’s nationalization in 2016 followed soon after allegations surfaced that former owners Ihor Kolomoisky and Gennadiy Boholiubov had embezzled at least $5.5 billion from customers.
Representing deposits made by a third of the country’s population, the amount the pair allegedly stole was equivalent to around five percent of Ukraine’s GDP at that time.
Multiple investigations into Kolomoisky and Boholiubov’s financial dealings remain ongoing.