City Bank Data Breach: Clients’ Statements Exposed. Bank resolves the issue.
January 2nd, 2025: City Bank PLC experienced a data breach, resulting in the exposure and subsequent sale of sensitive client financial statements on underground hacking forums.
This incident, confirmed by the Bangladesh Cyber Security Intelligence (BCSI), raises serious concerns about the cybersecurity practices within Bangladesh’s financial institutions.
The breach, initially discovered in December 2024 by a CS-CERT contributor who alerted BCSI to a threat actor advertising the stolen data, underscores the growing threat of cyberattacks targeting financial institutions.
Technical Details of the City Bank Data Breach
According to BCSI’s investigation, the City Bank data breach stemmed from critical flaws in the bank’s session management system.
Attackers successfully bypassed weak multi-factor authentication (MFA) due to inadequate session handling.
This allowed them to reuse previously authenticated sessions to access multiple accounts. Furthermore, session tokens were not properly invalidated, creating a significant security vulnerability.
This oversight enabled attackers to retrieve sensitive client data without requiring additional authentication steps, exploiting a critical weakness in the bank’s cybersecurity infrastructure.
The vulnerability was specifically within the “Statement Portal,” a web portal City Bank provides for customers to download their account statements using Two-Factor Authentication (2FA) and a One-Time Password (OTP).
“This vulnerability was limited to viewing account statements only. That is, no transactions or other unauthorised activities were or could be performed by the hacker,” City Bank’s statement.
City Bank’s Response and Remediation Efforts
City Bank’s Managing Director and CEO, Mashrur Arefin, issued an official statement acknowledging the breach.
The statement explained that a system “glitch” on January 2nd, 2025, allowed a hacker to bypass the 2FA process and access account statements.
The bank emphasized that the number of affected accounts was limited, as the hacker could only access accounts whose numbers were already known.
The glitch prevented OTPs from being sent to registered phone numbers, enabling unauthorized access.
Importantly, City Bank clarified that the vulnerability was restricted to viewing account statements only; no transactions or other unauthorized activities were performed.
In response to the City Bank data breach, the bank’s tech security team immediately reviewed the Statement Portal’s ecosystem, revoked all compromised access, and terminated all bypassed sessions.
A dedicated real-time monitoring team was deployed to oversee further activities. To prevent future incidents, the IT team implemented robust measures to address the identified vulnerabilities, and the Security Operations Center (SOC) team enhanced its 24/7 monitoring capabilities. City Bank assures its customers that such incidents will not recur.
“To ensure such incidents do not recur, the IT team, through its developer wing, has already implemented robust measures to prevent similar vulnerabilities in our portals. Also our Security Operations Center (SOC) team has enhanced its 24/7 monitoring capabilities. With full assurance we can inform our customers that such incidents will not take place again,” City bank official statement.
Previous Warnings and Insufficient Measures
The City Bank data breach highlights a failure to fully address previous security concerns.
In mid-2024, BCSI warned City Bank about vulnerabilities in its systems, demonstrating how attackers could potentially withdraw client funds and access sensitive information.
While City Bank claimed to have addressed these issues, the subsequent breach suggests that the implemented measures were insufficient to prevent this significant security incident.
This underscores the importance of proactive and comprehensive cybersecurity measures within financial institutions.
The City Bank data breach incident highlights the critical need for robust cybersecurity practices, including strong MFA implementation, secure session management, and regular security audits.
The vulnerability exploited in this breach, involving weaknesses in session management and MFA bypass, should serve as a lesson for other financial institutions in Bangladesh and globally.
The prompt response and remediation efforts by City Bank are commendable, but the incident emphasizes the importance of continuous vigilance and proactive security measures to protect sensitive client data.
