City Bank data breach: Client financial statements sold on underground forums
In a recent cybersecurity breach in the country, City Bank PLC has had sensitive client financial statements exposed and sold on underground hacking forums, according to a recent blog post by the Bangladesh Cyber Security Intelligence (BCSI).
BCSI confirmed the incident in early 2025, raising serious questions about the state of cybersecurity within the nation's financial institutions. Following the discovery of the breach, BCSI notified City Bank, prompting the institution to address the vulnerability immediately. By 3 January 2025, the issue had been resolved.
For all latest news, follow The Daily Star's Google News channel. Previously, in mid-2024, BCSI had warned City Bank about vulnerabilities in its systems, highlighting potential exploitation risks. Researchers demonstrated how attackers could withdraw client funds and access sensitive information. While City Bank reportedly addressed the immediate issues, subsequent events suggest these measures were insufficient, as per BCSI's blog.
In December 2024, a CS-CERT contributor alerted BCSI to a threat actor advertising City Bank's client statements for sale on underground forums. An investigation confirmed the legitimacy of these claims, identifying a vulnerability that allowed unauthorised access to client statements.
According to BCSI, the breach was facilitated by technical flaws in session management. This involved Attackers bypassing weak multi-factor authentication (MFA) due to inadequate session handling. Once logged in, previously authenticated sessions could be reused to access other accounts.
Moreover, session tokens were not properly invalidated, enabling unauthorised access to other accounts once a session was compromised. This oversight allowed the attackers to retrieve sensitive client information without additional authentication, exploiting a critical gap in the bank's cybersecurity infrastructure.
Upon contacting, City bank's MD and CEO Mashrur Arefin has sent an official statement to The Daily Star regarding the matter, confirming the breach.
"City Bank provides a web portal where customers can download their account statements using Two-Factor Authentication (2FA), which involves a One-Time Password (OTP). This portal, referred to as the "Statement Portal," is solely for generating account statements," said the statement.
According to the official statement, "on January 2, 2025, a system "glitch" occurred that allowed a hacker to bypass the 2FA process and gain access to account statements of other customers. The number of account statements accessed that way was low because the hacker could access only those accounts whose numbers were known to him. However, due to the glitch, the system failed to send OTPs to the account holders' registered phone numbers, enabling unauthorised access to the statement(s) by the hacker."
"This vulnerability was limited to viewing account statements only. That is, no transactions or other unauthorised activities were or could be performed by the hacker," as per City Bank's statement.
According to the statement, City bank has taken timely action regarding the matter, their tech security team reviewed the portal's ecosystem, revoked all access, and terminated all bypassed sessions. Moreover, the bank deployed a dedicated real-time monitoring team to oversee further activities.
"To ensure such incidents do not recur, the IT team, through its developer wing, has already implemented robust measures to prevent similar vulnerabilities in our portals. Also our Security Operations Center (SOC) team has enhanced its 24/7 monitoring capabilities. With full assurance we can inform our customers that such incidents will not take place again," mentioned City bank in their official statement regarding the issue.
An earlier version of the story was published before City Bank could send in their official statement regarding the issue. The story has now been updated and republished incorporating City Bank's statement.
Comments