A massive data breach of Iranian banks that saw millions of customers’ debit card information published online may have been carried out by a foreign state, rather then by a local hacker, The New York Times reported Wednesday, citing a cybersecurity expert.
During recent rioting in Iran over a fuel price hike, hundreds of bank branches were burned. At the same time, details of millions of debit cards were published on social media after an attack that targeted three of Iran’s largest banks — Mellat, Tejarat and Sarmayeh.
All three of the banks were sanctioned over a year ago by the US Treasury for allegedly transferring money on behalf of entities of Iran’s Islamic Revolutionary Guard Corps, which was designated a terror organization by the Trump administration last April. None of the banks have issued statements about the hack but Iran’s information and telecommunications minister, Mohammad Javad Azari Jahromi, finally admitted to the breach on Sunday, the first official acknowledgement that anything was happening.
By Tuesday, information for some 15 million cards, representing about a fifth of the country’s population, had been leaked to the internet, in what was reportedly the largest hack in Iran’s history.
Jahromi denied the banks had been hacked and said the data theft was carried out by “a disgruntled contractor” as part of an extortion plot, the Times report said.
However, experts questioned the claim and said that such a large information breach was more likely to have been carried out by state actors aiming to generate further instability in Iran. Fearful customers may pull their money from the banks, which would have a long-term impact on the institutions.
Boaz Dolev, the CEO of ClearSky, an Israeli cybersecurity firm, assessed that those responsible had “high technological capability, which is usually at the hand of state intelligence services.”
On December 3 ClearSky warned Israeli credit card companies that the Iranians may try to counterattack if Tehran believes the hack was carried out by foreign powers.
Neither the White House nor the Israel Defense Forces commented on the report.
The hack first began to show up on November 27 when account information was published on Telegram, a mobile communication app popular in Iran. Hackers wrote they had demanded money from the banks to keep the information safe but, since their requests were ignored they were going to publish the card details. Hours later the information was posted.
The leaked data included account holder names and numbers, but the PIN codes for the cards were hidden. The messages also instructed readers on how to make forgeries of the cards.
Impacted banks responded by contacting their clients, while the Iranian police unit in charge of cyber investigations sent out an email urging customers to have their cards replaced, the report said, citing a copy of the email published by Iranian media.
The attack came amid instability in Iran, where demonstrations began in mid-November after the government raised minimum gasoline prices. Amnesty International has said at least 208 were killed as the regime suppressed the rioting, while the US has said as many as 1,000 may have been killed. During the violence Iran repeatedly accused the Western powers of stoking the unrest.
Both the US and Israel are believed to have carried out cyber-attacks on Iran in the past, and the Islamic Republic has hit back with its own assaults. In October the US reportedly conducted a cyber-attack against Iran in the wake a cruise missile and drone strike on key Saudi oil facilities the month before, which many Western countries have blamed on the Islamic Republic.
Earlier in the month Microsoft said that it believed that hackers linked to the Iranian government had been targeting a US presidential campaign, as well as government officials, media targets and prominent expatriate Iranians.
