Personal Information of Nearly 900,000 Banking Customers of Three Major Russian Banks Leaked Online

• Customer data belonging to OTP Bank, Alfa Bank, and HCF Bank have been made publicly available on the internet.
• The data includes customer names, phone numbers, addresses, credit limit, passport details, and in some cases the place of work, year of birth, passport data, and account balance.

What is the issue?

Three major private banks in Russia, OTP Bank, Alfa Bank, and HCF Bank had its customer data leaked online.

OTP Bank data leak

A publicly available database listed as OTP Bank contained personal data of almost 800,000 clients including names, phone numbers, addresses, approved credit limit, work notes on how the contact with the client was passed. The information in the database dated back to 2013.

“There is no information leakage recorded in our bank, and the origin of this database is unknown to us,” OTP Bank said, Kommersant reported.

HCF Bank data leak

Another unsecured database that contained data of HCF bank held almost 24,400 customers’ personal information including names, passport details, phone numbers, addresses, and credit limit.

• The addresses of customers in the database indicated that most of the customers live in Volgograd city.
• Kommersant contacted the customers mentioned in the database and confirmed that they had taken a loan from the HCF Bank.

“The origin of the data in the specified file is unknown to the bank, but we will take steps to establish it,” HCF bank said.

Alfa Bank data leak

DeviceLock uncovered two databases that contain customer data of Alfa Bank.

• The first database included personal data of over 55,000 customers including names, phone numbers, addresses, and place of work.
• The second database contained just 504 entries that included the year of birth, passport data, and account balance limited to 130,000 –160,000 rubles (USD 2000 - 2500).

The information in the first database dated back to 2014-2015, while the second database included recent information with entries between 2018 and 2019. The addresses of customers in the first database hinted that all customers live in the Northwestern Federal District working in either private companies, the Federal Security Service, or the Ministry of Internal Affairs.

Ashot Oganesyan, Founder of DeviceLock, noted that the Alfa Bank database might have leaked in 2014 when the bank executed mass layoffs of its IT staff. Some disgruntled IT insiders could have stolen the database and dumped them online.