Hacker breached iCard and published the personal data of 1800 individuals

The credit records of 1,800 customers of the financial institution iCard (AICART) became public yesterday. The archive with 21 gigabytes of data was published by a hacker with the pseudonym Kyulev on an Internet forum. He claims he did it in retaliation for not receiving the ransom demanded for the leaked data. The iCard initially denied the information but later admitted to the problem. It remains an open question whether the customers and the Data Protection Commission were informed in due time, as the breach was known about for a long time.

BRRD verified the information and posted a message on Facebook yesterday afternoon (25.11.2020). At the time, iCard denied there had been a breach and leak, but later acknowledged the problem in a notification posted on the financial institution’s website.

It is about archive data, not current accounts of iCard users, our check showed. The victims are mostly clients – individuals and legal entities against whom enforcement proceedings for recovery of debts to Interkart Credit (former name of Aykart) were initiated in the period 2009 – 2014. There are about 1300 individuals. The information about them is extremely detailed and concerns all aspects of their personal and professional life necessary to compile a credit file – personal and professional address, properties, relatives, car make, etc. However, it is not only customers who are affected by the leak, but also their guarantors.

There is-no leak

Yesterday iCard published a disclaimer on its blog, signed by CEO Yavor Petrov. He claims that the information about the leak of customers’ ID cards is false. “This attack is aimed at discrediting the successful Bulgarian e-money company with a leading position on the European fintech scene,” the statement said.

Later, however, a discreet notice was posted on the website acknowledging the breach and stating that it affected about 1,800 people. “There is no indication that the current active customers of the services of Aikart Credit EAD, as well as their personal data, including – movement on drawn credit lines, value of credit granted, data on payment instruments, are affected by this security breach. There has been no breach of security of the information systems of “Aykart Credit” EAD, which support the provision of financial services to the current active customers of the company” – the message reads.

As a fintech operator licensed by the BNB (license number 4703-5081), iCard has contracts with MasterCard and Visa to issue credit and payment cards. In addition, iCard is behind the mobile operator’s A1 digital wallet and MyPOS service. Two years ago, the firm boasted over 500,000 users of its digital wallet in Europe. At the time, Aikart claimed that in 2018 alone, iCard.bg processed 47 million transactions worth more than 1.7 billion euros. The actual information on the company’s website is much more modest – 250 thousand private and over 55 thousand business customers and 10 million transactions per year.

When was the CPVO notified?

Hacker Kyulev claims to have breached iCard’s system some time ago and negotiated a ransom. It is the company’s legal obligation to notify affected individuals and the Data Protection Commission within 48 hours of discovering the leak. However, it seems this was not done until the story gained publicity. The BRRD has sent a request to the CPML to see if they are aware of the problem, but so far there has been no response from the Commission.

Who is behind iCard?

The main shareholder in iCard is Bulgarian Hristo Georgiev. He became known as the founder of the Maltese bank Satabank, closed by the ECB at the request of the Maltese financial regulator in 2018. According to the Financial Times, the closure also affected customers of the payment service Leo Pay, whose accounts were closed without warning. Once the problem became known, the Leo Pay website immediately removed the information that Satabank was behind the service.

The iCard qualifies these allegations as defamation and claims that it has filed a lawsuit against the Maltese media that circulated them.

Item: This iCard is not that iCard

BRRD sent several questions about the incident to the PR agency that services the company. The answer came from the company “Aikart Credit” EAD. We asked why iCard initially denied the data leak after a hacking attack.

***

Разследващата журналистика е разузнаването на гражданите. BIRD се финансира от дарения. Ние не публикуваме реклами. Не получаваме държавни субсидии. Не разчитаме на грантове. Финансирането чрез малки дарения от читатели е гаранция за нашата независимост. Включете се, за да продължим да разкриваме злоупотреби и да държим отговорни властимащите. Използваме Вашите пари за хонорари на журналистите, командировки, изграждане и поддръжка на нашите информационни системи, такси за фирмени и имотни регистри у нас и по света, придобиване на техника и специално оборудване, осигуряване на нашата безопасност и други важни работни мисии. Важно: Ако дарявате всеки месец това ще ни даде възможност да планираме и организираме нашата работа. Благодарим Ви! Нас ни има, защото Вас Ви има!

This post is also available in: Български (Bulgarian)