Hacker breached iCard and published the personal data of 1800 individuals

The credit records of 1,800 customers of the financial institution iCard (AICART) became public yesterday. The archive with 21 gigabytes of data was published by a hacker with the pseudonym Kyulev on an Internet forum. He claims he did it in retaliation for not receiving the ransom demanded for the leaked data. The iCard initially denied the information but later admitted to the problem. It remains an open question whether the customers and the Data Protection Commission were informed in due time, as the breach was known about for a long time.

BRRD verified the information and posted a message on Facebook yesterday afternoon (25.11.2020). At the time, iCard denied there had been a breach and leak, but later acknowledged the problem in a notification posted on the financial institution’s website.

It is about archive data, not current accounts of iCard users, our check showed. The victims are mostly clients – individuals and legal entities against whom enforcement proceedings for recovery of debts to Interkart Credit (former name of Aykart) were initiated in the period 2009 – 2014. There are about 1300 individuals. The information about them is extremely detailed and concerns all aspects of their personal and professional life necessary to compile a credit file – personal and professional address, properties, relatives, car make, etc. However, it is not only customers who are affected by the leak, but also their guarantors.

There is-no leak

Yesterday iCard published a disclaimer on its blog, signed by CEO Yavor Petrov. He claims that the information about the leak of customers’ ID cards is false. “This attack is aimed at discrediting the successful Bulgarian e-money company with a leading position on the European fintech scene,” the statement said.

Later, however, a discreet notice was posted on the website acknowledging the breach and stating that it affected about 1,800 people. “There is no indication that the current active customers of the services of Aikart Credit EAD, as well as their personal data, including – movement on drawn credit lines, value of credit granted, data on payment instruments, are affected by this security breach. There has been no breach of security of the information systems of “Aykart Credit” EAD, which support the provision of financial services to the current active customers of the company” – the message reads.

As a fintech operator licensed by the BNB (license number 4703-5081), iCard has contracts with MasterCard and Visa to issue credit and payment cards. In addition, iCard is behind the mobile operator’s A1 digital wallet and MyPOS service. Two years ago, the firm boasted over 500,000 users of its digital wallet in Europe. At the time, Aikart claimed that in 2018 alone, iCard.bg processed 47 million transactions worth more than 1.7 billion euros. The actual information on the company’s website is much more modest – 250 thousand private and over 55 thousand business customers and 10 million transactions per year.

When was the CPVO notified?

Hacker Kyulev claims to have breached iCard’s system some time ago and negotiated a ransom. It is the company’s legal obligation to notify affected individuals and the Data Protection Commission within 48 hours of discovering the leak. However, it seems this was not done until the story gained publicity. The BRRD has sent a request to the CPML to see if they are aware of the problem, but so far there has been no response from the Commission.

Who is behind iCard?

The main shareholder in iCard is Bulgarian Hristo Georgiev. He became known as the founder of the Maltese bank Satabank, closed by the ECB at the request of the Maltese financial regulator in 2018. According to the Financial Times, the closure also affected customers of the payment service Leo Pay, whose accounts were closed without warning. Once the problem became known, the Leo Pay website immediately removed the information that Satabank was behind the service.

The iCard qualifies these allegations as defamation and claims that it has filed a lawsuit against the Maltese media that circulated them.

Item: This iCard is not that iCard

BRRD sent several questions about the incident to the PR agency that services the company. The answer came from the company “Aikart Credit” EAD. We asked why iCard initially denied the data leak after a hacking attack.

***

За да научавате преди всички за нови разследвания, инсталирайте си нашето мобилно приложение:

Щом сте стигнали дотук, вероятно вече си задавате въпроса как се финансира този журналистически проект.

От създаването си BIRD се финансираше от подаяния в нашето журналистическо чекмедже. Но на чекмеджето му мина времето. Даже прокуратурата затвори онова Чекмедже, знаете кое… Нашето финансиране влиза в крак с епохата. Фондонабиращата ни кампания вече се казва

#МятайСBIRD

Дарявай за BIRD и мятай павета в блатото с корумпирани политици и други тарикати.

Защо да мятам ли?

BIRD.bg е една от малкото специализирани разследващи медии у нас и осветява мащабни корупционни схеми, конфликти на интереси и злоупотреба с власт, в които участват ключови политици, магистрати, бизнесмени. В завладяна държава като България свободните медии имат изключително важна роля и за да останат независими и обективни, се нуждаят от подкрепата на гражданите.

Ние се издържаме само от малки дарения от граждани. Изчислили сме, че за да работим като устойчива медия, ни трябват около 240,000 лв. годишно или 20,000 лв. на месец. Тук виждате актуалния брой на нашите регулярни дарители, средната месечна сума на даренията и общата сума, която те са дарили за периода от старта на сайта през септември 2020 г. до днешна дата.

Регулярните месечни дарения в размер 10, 20, 50 лв. или друга сума по избор ни дават финансова сигурност и позволяват да планираме дейността си за месеци напред.

Освен да “мятате”, можете и да “шамаросвате”. В момента срещу журналистите от BIRD се водят 10 дела SLAPP известни като “дела-шамари”. Помогнете ни за съдебните разходи, които никак не са малки. Всяко Ваше дарение за конкретно “дело-шамар” е “шамар” срещу шамаросващите, които разполагат с огромни пари срещу нашите скромни финансови възможности.

Дълбоко благодарни сме за всяка подкрепа!

This post is also available in: Български (Bulgarian)