Iran banks burned, then customer accounts were exposed online

The New York Times | Farnaz Fassihi and : The details of millions of Iranian bank cards were published online after antigovernment protests last month. Experts suspect a state-sponsored cyberattack.

After demonstrators in Iran set fire to hundreds of bank branches last month in antigovernment protests, the authorities dealt with another less visible banking threat that is only now coming to fuller light: a security breach that exposed the information of millions of Iranian customer accounts.

As of Tuesday, details of 15 million bank debit cards in Iran had been published on social media in the aftermath of the protests, unnerving customers and forcing the government to acknowledge a problem. The exposure represented the most serious banking security breach in Iran, according to Iranian media and a law firm representing some of the victims.

The breach, which targeted customers of Iran’s three largest banks, was likely to further rattle an economy already reeling from the effects of American sanctions and came as Iran’s leadership was grappling with deep-seated anger over its deadly crackdown on the protests.

The number of affected accounts represents close to a fifth of the country’s population.

“This is the largest financial scam in Iran’s history,” reported Aftab News, a conservative media outlet. “Millions of Iranians are worried to find their names among the list of hacked accounts.”

Iran’s information and telecommunications minister, Mohammad Javad Azari Jahromi, described the breach as data theft by a disgruntled contractor who had access to the accounts and had exposed them as part of an extortion attempt. He denied the banking system’s computers had been hacked.

But outside cyberexperts disputed that claim. They also said a breach of such magnitude was likely the work of a state entity aiming to stoke instability, not criminals whose objective is blackmail for financial gain.

Iran has been engaged in a cycle of hack and counterhack in a cyberwar against the United States and Israel. Both sides have targeted each other’s financial and sensitive government institutions through cyberattacks for years.

The banks affected — Mellat, Tejarat and Sarmayeh — had all been sanctioned more than a year ago by the United States Treasury, which accused them of having transferred money on behalf of blacklisted entities of Iran’s Islamic Revolutionary Guards Corps, part of the armed forces. The entire Revolutionary Guards organization was designated as a terrorist group by the Trump administration last April.

A White House spokesman did not respond to a request for comment on the Iran banking breach. A spokesman for the Israel Defense Forces said: “We do not respond to foreign reports.”

Analysts monitoring Iran said that regardless of who was responsible, the breach created another financial challenge for the Islamic Republic as it struggles to manage tough economic sanctions imposed by the United States, as well as unrest at home and a political backlash in the region over Iran’s influence.

The data exposure could have a long-term impact on the three banks if customers lose trust and withdraw their money.

Iran’s official silence for nearly two weeks on the exposure could reflect a reluctance by the leadership to acknowledge that its financial institutions are vulnerable, experts said. The bank card data first began to appear on Nov. 27, but it was not until Sunday that Mr. Azari Jahromi, the information minister, commented on the breach.

The persons or entity behind the attack and the motivation remain unclear. The account information was published on a channel called “Your banking cards” on Telegram, a popular mobile phone app used in Iran. The first message warned that “we will burn the reputation of their banks the same way we torched their banks,” referring to protesters across Iran who pillaged and burned about 730 bank branches.

The message on Telegram also stated that the perpetrators had demanded payment from the banks but their request had been ignored, and therefore they would be releasing the details on millions of bank cards. Within hours, they did.

The information uploaded on Telegram contains names of account holders and account numbers but the PIN codes appear obscured. The information also included directions on how to make homemade forgeries of cards containing the leaked information.

The banks sent clients text messages and Iran’s cyberpolice alerted them in an email titled, “Your bank account is in danger of illegal usage,” and asked customers to visit a bank branch and replace their cards, according to a copy of the email published in Iranian media.

None of the three banks have issued public statements acknowledging the breach.

ClearSky, a cybersecurity company that was among the first to issue warnings of the breach, said it had damaged the flow of financial transactions inside Iran and had harmed the reputation of the affected banks, with customers panicking about their personal information having been made public.

Boaz Dolev, the chief executive officer of ClearSky, said the scope of the breach indicated that whoever was responsible possessed “high technological capability, which is usually at the hand of state intelligence services.”

ClearSky issued a warning to Israeli credit card companies on Dec. 3 to be on alert in case of an Iranian counterattack if the authorities in Tehran concluded the banks had been compromised by hostile foreign powers.

The last major hacking targeting Iranian banks occurred in 2012 when hackers gained access to the account information of three million users across 22 banks. An information technology specialist, Khosrow Zare Farid, who formerly managed a company for electronic payments in Iran, claimed responsibility for the hack to prove security loopholes in Iran’s electronic banking system, according to media reports.

In the United States, the Justice Department accused Iran of major cyberattacks from 2011 to 2013 targeting several American banks including Bank of America, JPMorgan Chase, Wells Fargo, US Bank and PNC Bank. The hackers interrupted customer service and jammed websites. In 2016, seven Iranians were indicted on federal charges for cyberattacks on behalf of the Revolutionary Guards.

The Trump administration has given the United States military more power to launch pre-emptive cyberattacks on Iranian interests, reversing a directive under President Barack Obama that required the president’s permission for cyberattacks that could trigger “significant consequences.”

An Iranian organization that identifies itself as the Citizenship Protection Foundation has offered free legal consultations for Iranians affected by the data breach, according to its website and reports in Iranian media. The organization’s home page includes a link to “the hacking of 10 million accounts” and says that Iran’s intelligence officials are investigating.

Amir Rashidi, an Iranian internet expert who designed the cyberstructure of Iran’s state-owned petrochemical industry, said that although Iran’s state-sponsored hackers are sophisticated, the cybersecurity of most government entities and banks in the country “is in shambles.”

Many loopholes, he said, “make it easy and possible for state actors and criminals to hack the system.”

Mark Mazzetti contributed reporting.