The credit records of 1,800 customers of the financial institution iCard (AICART) became public yesterday. The archive with 21 gigabytes of data was published by a hacker with the pseudonym Kyulev on an Internet forum. He claims he did it in retaliation for not receiving the ransom demanded for the leaked data. The iCard initially denied the information but later admitted to the problem. It remains an open question whether the customers and the Data Protection Commission were informed in due time, as the breach was known about for a long time.
BRRD verified the information and posted a message on Facebook yesterday afternoon (25.11.2020). At the time, iCard denied there had been a breach and leak, but later acknowledged the problem in a notification posted on the financial institution’s website.
It is about archive data, not current accounts of iCard users, our check showed. The victims are mostly clients – individuals and legal entities against whom enforcement proceedings for recovery of debts to Interkart Credit (former name of Aykart) were initiated in the period 2009 – 2014. There are about 1300 individuals. The information about them is extremely detailed and concerns all aspects of their personal and professional life necessary to compile a credit file – personal and professional address, properties, relatives, car make, etc. However, it is not only customers who are affected by the leak, but also their guarantors.
There is-no leak
Yesterday iCard published a disclaimer on its blog, signed by CEO Yavor Petrov. He claims that the information about the leak of customers’ ID cards is false. “This attack is aimed at discrediting the successful Bulgarian e-money company with a leading position on the European fintech scene,” the statement said.
Later, however, a discreet notice was posted on the website acknowledging the breach and stating that it affected about 1,800 people. “There is no indication that the current active customers of the services of Aikart Credit EAD, as well as their personal data, including – movement on drawn credit lines, value of credit granted, data on payment instruments, are affected by this security breach. There has been no breach of security of the information systems of “Aykart Credit” EAD, which support the provision of financial services to the current active customers of the company” – the message reads.
As a fintech operator licensed by the BNB (license number 4703-5081), iCard has contracts with MasterCard and Visa to issue credit and payment cards. In addition, iCard is behind the mobile operator’s A1 digital wallet and MyPOS service. Two years ago, the firm boasted over 500,000 users of its digital wallet in Europe. At the time, Aikart claimed that in 2018 alone, iCard.bg processed 47 million transactions worth more than 1.7 billion euros. The actual information on the company’s website is much more modest – 250 thousand private and over 55 thousand business customers and 10 million transactions per year.
When was the CPVO notified?
Hacker Kyulev claims to have breached iCard’s system some time ago and negotiated a ransom. It is the company’s legal obligation to notify affected individuals and the Data Protection Commission within 48 hours of discovering the leak. However, it seems this was not done until the story gained publicity. The BRRD has sent a request to the CPML to see if they are aware of the problem, but so far there has been no response from the Commission.
Who is behind iCard?
The main shareholder in iCard is Bulgarian Hristo Georgiev. He became known as the founder of the Maltese bank Satabank, closed by the ECB at the request of the Maltese financial regulator in 2018. According to the Financial Times, the closure also affected customers of the payment service Leo Pay, whose accounts were closed without warning. Once the problem became known, the Leo Pay website immediately removed the information that Satabank was behind the service.
The iCard qualifies these allegations as defamation and claims that it has filed a lawsuit against the Maltese media that circulated them.
Item: This iCard is not that iCard
BRRD sent several questions about the incident to the PR agency that services the company. The answer came from the company “Aikart Credit” EAD. We asked why iCard initially denied the data leak after a hacking attack.
Щом сте стигнали дотук, вероятно вече си задавате въпроса как се финансира този журналистически проект.
От създаването си BIRD се финансираше от подаяния в нашето журналистическо чекмедже.
Но на чекмеджето му мина времето. Даже прокуратурата затвори онова Чекмедже, знаете кое…
Нашето финансиране влиза в крак с епохата. Фондонабиращата ни кампания вече се казва
Дарявай за BIRD и мятай павета в блатото с корумпирани политици и други тарикати.
Те тайно премятат пари от твоя джоб в своя. Те размятат безнаказано лукса си пред очите на всички. Няма кой да ги накаже ако се надяваш на държавата.
Мятай, за да ги накажеш ти. Да дариш за разследващите журналисти е гаранция, че гадостите, с които силните на деня те замерят, ще им се върнат.
Можеш да метнеш веднъж, за да ти олекне!
Но по-добре е да мяташ редовно всеки месец и да се чувстваш трайно удовлетворен.
А най-добре е да доведеш приятели и да мятаме редовно заедно в екип. С мощен залп!
*За кръстник на новата ни фондонабираща кампания избрахме другарката Ваня. Благодарим й за вдъхновението!
До момента имаме 411 активни редовни дарители, които осигуряват 5697.34 € месечно. Нашата цел е те да станат 1,000.
Събери се с приятели и мятайте заедно с BIRD. Лесно е.
1. Регистрирай се 2. Създай отбор 3. Създай свой профил 4. Покани приятели
Или се включи в някой отбор:
Lightning network: firstname.lastname@example.org
This post is also available in: Български (Bulgarian)