After demonstrators in Iran set fire to hundreds of bank branches last month in anti-government protests, the authorities dealt with another less visible banking threat that is only now coming to fuller light: a security breach that exposed the information of millions of Iranian customer accounts.
As of Tuesday, details of 15 million bank debit cards in Iran had been published on social media in the aftermath of the protests, unnerving customers and forcing the government to acknowledge a problem. The exposure represented the most serious banking security breach in Iran, according to Iranian media and a law firm representing some of the victims.
The breach, which targeted customers of Iran’s three largest banks, was likely to further rattle an economy already reeling from the effects of American sanctions and came as Iran’s leadership was grappling with deep-seated anger over its deadly crackdown on the protests.
The number of affected accounts represents close to a fifth of the country’s population.
“This is the largest financial scam in Iran’s history,” reported Aftab News, a conservative media outlet. “Millions of Iranians are worried to find their names among the list of hacked accounts.”
Iran’s information and telecommunications minister, Mohammad Javad Azari Jahromi, described the breach as data theft by a disgruntled contractor who had access to the accounts and had exposed them as part of an extortion attempt. He denied the banking system’s computers had been hacked.
But outside cyberexperts disputed that claim. They also said a breach of such magnitude was likely the work of a state entity aiming to stoke instability, not criminals whose objective is blackmail for financial gain.
Iran has been engaged in a cycle of hack and counterhack in a cyberwar against the United States and Israel. Both sides have targeted each other’s financial and sensitive government institutions through cyberattacks for years.
The banks affected — Mellat, Tejarat and Sarmayeh — had all been sanctioned more than a year ago by the U.S. Treasury, which accused them of having transferred money on behalf of blacklisted entities of Iran’s Islamic Revolutionary Guards Corps, part of the armed forces. The entire Revolutionary Guards organization was designated as a terrorist group by the Trump administration last April.
A White House spokesman did not respond to a request for comment on the Iran banking breach. A spokesman for the Israel Defense Forces said: “We do not respond to foreign reports.”
Analysts monitoring Iran said that regardless of who was responsible, the breach created another financial challenge for the Islamic Republic as it struggles to manage tough economic sanctions imposed by the United States, as well as unrest at home and a political backlash in the region over Iran’s influence.
The data exposure could have a long-term impact on the three banks if customers lose trust and withdraw their money.
Iran’s official silence for nearly two weeks on the exposure could reflect a reluctance by the leadership to acknowledge that its financial institutions are vulnerable, experts said. The bank card data first began to appear Nov. 27, but it was not until Sunday that Azari Jahromi, the information minister, commented on the breach.
The persons or entity behind the attack and the motivation remain unclear. The account information was published on a channel called “Your banking cards” on Telegram, a popular mobile phone app used in Iran. The first message warned that “we will burn the reputation of their banks the same way we torched their banks,” referring to protesters across Iran who pillaged and burned about 730 bank branches.
The message on Telegram also stated that the perpetrators had demanded payment from the banks but their request had been ignored, and therefore they would be releasing the details on millions of bank cards. Within hours, they did.
The information uploaded on Telegram contains names of account holders and account numbers but the PIN codes appear obscured. The information also included directions on how to make homemade forgeries of cards containing the leaked information.
The banks sent clients text messages and Iran’s cyberpolice alerted them in an email titled, “Your bank account is in danger of illegal usage,” and asked customers to visit a bank branch and replace their cards, according to a copy of the email published in Iranian media.
None of the three banks have issued public statements acknowledging the breach.
ClearSky, a cybersecurity company that was among the first to issue warnings of the breach, said it had damaged the flow of financial transactions inside Iran and had harmed the reputation of the affected banks, with customers panicking about their personal information having been made public.
Boaz Dolev, the chief executive officer of ClearSky, said the scope of the breach indicated that whoever was responsible possessed “high technological capability, which is usually at the hand of state intelligence services.”
ClearSky issued a warning to Israeli credit card companies on Dec. 3 to be on alert in case of an Iranian counterattack if the authorities in Tehran concluded the banks had been compromised by hostile foreign powers.
Farnaz Fassihi and Ronen Bergman c.2019 The New York Times Company