Banque Cantonale de Geneve Leak – Rex Mundi (update2)
As seen on DPaste this morning and as tweeted by @RexMundi14:
Dear friends and foes,
Last week, we hacked our way into the servers of Swiss bank Banque Cantonale de Geneve (BCGE). While we did not access any bank account, we did download 30,192 private emails sent by both Swiss and foreign customers, in addition to various other interesting data (conference registrations, mailing list entries,…).
One of these emails we downloaded, for example, was sent by a Mr [Name REDACTED by DataBreaches.net], born on [DOB REDACTED by DataBreaches.net]. His phone number is [REDACTED by DataBreaches.net] and his email address is [REDACTED by DataBreaches.net]. He sent the following email to BCGE: “Dear Sir/Madame, I am currently on a work assignment in Singapore. I need to access my accounts [Account number REDACTED by DataBreaches.net] but I am unable to. My access has been locked. Please kindly unblock my account and resend a new password (to my address in your system in Madrid, Spain). If needed you may reach me at [Phone number REDACTED by DataBreaches.net]. Many thanks.”
Or we have Mr [Name REDACTED by DataBreaches.net], who lives at [Address REDACTED by DataBreaches.net] and whose email address is [REDACTED by DataBreaches.net] ([Phone number REDACTED by DataBreaches.net]). His message is “Madame, Monsieur bonjour,\r\n\r\nNous voudrions fermer notre compte et transferer le solde de notre compte en France.\r\nMerci de nous indiquer les demarches administratives a suivre.\r\nDans l\\’attente de notre reponse Tres cordialement [Names REDACTED by DataBreaches.net]”
There are 30,190 other similar emails and customer records in the database we downloaded.
We would like to mention that, as always, we did contact BCGE a few days ago and offered them not to post their data in exchange for a very reasonable amount of money. Since they declined our initial offer, we have therefore decided to post this initial leak.
The full dump will be posted on our website [url REDACTED by DataBreaches.net] as well as on clearnet on Friday at 6PM CET if BCGE still refuses to pay us 10,000EUR.
If you are a BCGE customer and, more importantly, if you are one of their many foreign customers and want to avoid a painful tax audit, you might want to contact the bank and ask them to reconsider their position either by visiting www.bcge.ch and filling out the contact form or by calling +41 (0)58 211 21 00 .
Update 1: The bank issued the following statement/press release in response to an inquiry from this site yesterday:
Attempted cyber-attack on a BCGE website
Geneva, 7 January 2015 – The Banque Cantonale de Genève (BCGE) was the object of an attempted cyber-attack, which the bank succeeded in resisting. This act aimed at intercepting information on a website. The bank has implemented additional safeguards and has informed the customers concerned.
The Banque Cantonale de Genève (BCGE) has been the object of an attempted cyber-attack, which it has resisted.
This act was designed to intercept information on a website used as an interface and communication tool with customers and people interested in the bank’s services.
Only certain information transmitted by internet users, but in no way critical and of no great use or even obsolete, was re-transcribed.
The BCGE has implemented additional safeguards. Every customer concerned has been or is in the process of being informed by their bank advisor.
The bank notes that this incident occurred outside the bank’s highly secure perimeters.
Having fully analysed this attack, the BCGE emphasises the robustness of its security system while at the same time insisting on the need for its customers to be cautious when using internet applications.
The bank also issued this message:
IT incident: safeguard measures implemented
The BCGE informs its customers that it managed an IT security incident on Wednesday 7 January. It involved a website used as an interface and communication tool with customers and people interested in the bank’s services. An instance of unauthorised access was identified on this platform.
Some items of content exchanged with the bank were intercepted by a third party. It did not involve critical data, only limited non-financial information which in no way endangers account security. However, and insofar as it is not possible to guarantee the total security of internet transmissions, data such as addresses, e-mails and telephone numbers could have been re-transcribed.
The bank has implemented additional safeguard measures, even though it is not responsible for the security of personal data circulating via the internet.
Thanks to a fundamentally robust IT security environment and to the additional measures implemented, no financial damage has been reported in connection with this incident.
Every customer concerned has been or is in the process of being informed of the situation by their bank advisor.
The bank reiterates its call for caution and recommends the utmost vigilance. If you have any questions, please contact your advisor and consult the Security section in the Online Banking area of the website www.bcge.ch.
So the bank states it is not responsible for the security of personal data “circulating via the Internet?” It’s not clear to me why they do not view themselves as responsible for the security of information provided by their customers or potential clients via their web site. Even if you can’t guarantee perfect security, I would think they have some level of responsibility.
In any event, Bloomberg reports that BCGE will not be paying any ransom demand, so do not be surprised to see Rex Mundi dump the data at some point.
Update 2 (Jan. 9): the data have been dumped.