February 07 2020
The Islamic Republic has announced that three banks were hit by a “very big” cyberattack, which it said was launched by an unnamed foreign state—although it earlier said the attack was an extortion plot that originated inside Iran.
The goal of the attack, however, appeared to be political—to embarrass the regime and make it appear inept in the face of a cyber challenge.
Whatever the source or purpose of the attack, what most concerned many Iranians was the fact that attackers posted the names and debit card account numbers for 15 million Iranians or about 18 percent of the population.
The cyber attackers did not, however, include the PIN numbers associated with the accounts; they were deleted from the Internet posting. But the cyber attackers themselves do have the PIN numbers.
The exposed account numbers were stolen from three major banks—Mellat, Tejarat and Sarmayeh. The first two are government-owned; Sarmayeh is privately-owned.
The account details were posted on the Telegram messaging app that is very widely used in Iran. After nine days, Telegram shut down the channel with the posting.
After the account numbers were first posted November 27, Telecommunications Minister Mohammad-Javad Azari-Jahromi waited 11 days before telling the public December 8 that the posting was the action of a disgruntled contractor who had published the information and was using it for extortion. He said the contractor had direct access to the accounts and denied the banks had been hacked. But a few days later, he blamed foreigners and said they had hacked the banks.
There were no reports of extortion efforts published in Iran. Some account holders said they had received emails saying, “We are in control of your bank information and your bank is lying to you.” The emails advised recipients to take immediate action—but did not say what that should be.
None of the three banks have issued public statements since the account information was posted. But they did send messages to account holders advising them to go to a bank branch and get a new debit card.
The three banks were among those sanctioned by the US Treasury last year. The main threat to the banks is that their depositors will lose trust in them and withdraw their funds.
A message posted with the list of account information said, “We will burn the reputation of these banks the same way we burned their branch offices”—a reference to the torching of hundreds of bank offices during the mid-November protests. That suggested the goal of the cyber attackers was to attack the regime, not to steal funds from the account holders.
The last time Iranian banks suffered a major hack was in 2012 when hackers gained access to the accounts of three million people at 22 banks. Media stories said a technology specialist, Khosrow Zare-Farid, who had once managed a firm processing electronic payments, announced he conducted the hack to demonstrate how insecure Iran’s electronic banking system is.
