But the hacker then went and published all the account numbers on the web!
That was an assault not just on the banking system but a direct attack on every Iranian with an account that can now be raided.
The customers were at 10 Iranian banks, the Central Bank said. The banks said all their customers would have to change their PIN numbers before they could have access to their accounts through ATM machines.
This prompted a mad rush to ATMs.
Within days a man claiming to be a hacker published the account numbers and PINs (Personal Identification Numbers) for what he said were millions of accounts at Iranian banks.
They were listed on a blog with an address in France.
The blog had them listed under the names of 24 banks, not just 10, or just about every bank in Iran.
The blogger did not say how many accounts were included on his blog.
The publication of the security data Tuesday could bring Iranian banking to a halt and cause far more economic havoc than all the forreign sanctions.
The blog did not carry the names on accounts. It listed account numbers and the security codes associated with them.
The Mehr news agency said one employee at a company that provides payment services to many banks was the culprit. Mehr said that the company fired one of its managers who then exposed customer information “to show that this company was riddled with security breaches and poor banking surveillance systems.”
The blogger identified himself as Khosrow Zareh and claimed that he had hacked the PIN numbers from the banking system to highlight the vulnerability of the country’s banking system. He said he has recently left Iran and is living somewhere abroad.
He did not explain why he was publicly posting the secuity numbers. That posting does not simply demonstrate security breaches, it threatens the personal wealth and economic security of every Iranian whose account the hacker has now exposed.
The banking system likely could protect the assets of account holders by halting all access to accounts immediately.
But that means many families would be without funds. If there are 3 million compromised accounts, it could easily take months to straighten out the mess.
The incident also suggests limitations on the regime’s “cyber defenses,” which officials acclaim almost daily.
Majlis deputies said they would summon Central Bank Governor Mahmud Bahmani to explain what brought about the security breach,