Google issued a statement last week saying, “This is an important issue that we take seriously. While we don’t discuss specific cases, blogger’s content policies prohibit publishing another person’s personal and confidential information.”
Khosrow Zareh, who previously worked for an Iranian firm that provided security services to almost all the banks in Iran, posted the bank information around the middle of April.
The date Google acted is not known, but it was before May 2 or around two weeks after the confidential data was posted. It presumably acted after someone notified it of what Zareh had done.
Zareh says he has taken no money from the accounts, but posted the data to show how poor Iranian bank security measures are.
It isn’t known if anyone else, with two weeks of access to the information, has stolen from any accounts.
The Islamic Republic has been largely silent about the posting. The banks have notified customers that they should change their PIN numbers.
Anyone could use the published numbers to go an ATM and pull cash from the compromised accounts.
Zareh fled Iran last month and it is not known where he is now. The Islamic Republic has not announced any effort to extradite him back to Iran.
The Central Bank said the customers impacted were at 10 Iranian banks. But Zareh’s blog listed account information under the names of 24 banks, or just about every bank in the country.
The blog did not contain the names of account holders. It simply had column after column of account numbers and the security codes associated with each one.
Google’s policy on blog content states: “Personal and confidential information: It’s not OK to publish another person’s personal and confidential information. For example, don’t post someone else’s credit card numbers, Social Security numbers, unlisted phone numbers and driver’s license numbers.”
Zareh said that several months ago he wrote his bosses about a security hole he had found. He said that after the bosses ignored his memo, he took down the numbers for 3 million bank accounts to prove his point. He has not explained why he posted the numbers, which threatens to punish individual citizens, not the banks he says are offenders.