Hacker breached iCard and published the personal data of 1800 individuals

Warning! This is an automatic translation from Bulgarian. The translation has not been checked by the editor desk and may be inaccurate or ambiguous. The publisher endorses only the Bulgarian version of the article.

The credit records of 1,800 customers of the financial institution iCard (AICART) became public yesterday. The archive with 21 gigabytes of data was published by a hacker with the pseudonym Kyulev on an Internet forum. He claims he did it in retaliation for not receiving the ransom demanded for the leaked data. The iCard initially denied the information but later admitted to the problem. It remains an open question whether the customers and the Data Protection Commission were informed in due time, as the breach was known about for a long time.

BRRD verified the information and posted a message on Facebook yesterday afternoon (25.11.2020). At the time, iCard denied there had been a breach and leak, but later acknowledged the problem in a notification posted on the financial institution’s website.

It is about archive data, not current accounts of iCard users, our check showed. The victims are mostly clients – individuals and legal entities against whom enforcement proceedings for recovery of debts to Interkart Credit (former name of Aykart) were initiated in the period 2009 – 2014. There are about 1300 individuals. The information about them is extremely detailed and concerns all aspects of their personal and professional life necessary to compile a credit file – personal and professional address, properties, relatives, car make, etc. However, it is not only customers who are affected by the leak, but also their guarantors.

There is-no leak

Yesterday iCard published a disclaimer on its blog, signed by CEO Yavor Petrov. He claims that the information about the leak of customers’ ID cards is false. “This attack is aimed at discrediting the successful Bulgarian e-money company with a leading position on the European fintech scene,” the statement said.

Later, however, a discreet notice was posted on the website acknowledging the breach and stating that it affected about 1,800 people. “There is no indication that the current active customers of the services of Aikart Credit EAD, as well as their personal data, including – movement on drawn credit lines, value of credit granted, data on payment instruments, are affected by this security breach. There has been no breach of security of the information systems of “Aykart Credit” EAD, which support the provision of financial services to the current active customers of the company” – the message reads.

As a fintech operator licensed by the BNB (license number 4703-5081), iCard has contracts with MasterCard and Visa to issue credit and payment cards. In addition, iCard is behind the mobile operator’s A1 digital wallet and MyPOS service. Two years ago, the firm boasted over 500,000 users of its digital wallet in Europe. At the time, Aikart claimed that in 2018 alone, iCard.bg processed 47 million transactions worth more than 1.7 billion euros. The actual information on the company’s website is much more modest – 250 thousand private and over 55 thousand business customers and 10 million transactions per year.

When was the CPVO notified?

Hacker Kyulev claims to have breached iCard’s system some time ago and negotiated a ransom. It is the company’s legal obligation to notify affected individuals and the Data Protection Commission within 48 hours of discovering the leak. However, it seems this was not done until the story gained publicity. The BRRD has sent a request to the CPML to see if they are aware of the problem, but so far there has been no response from the Commission.

Who is behind iCard?

The main shareholder in iCard is Bulgarian Hristo Georgiev. He became known as the founder of the Maltese bank Satabank, closed by the ECB at the request of the Maltese financial regulator in 2018. According to the Financial Times, the closure also affected customers of the payment service Leo Pay, whose accounts were closed without warning. Once the problem became known, the Leo Pay website immediately removed the information that Satabank was behind the service.

The iCard qualifies these allegations as defamation and claims that it has filed a lawsuit against the Maltese media that circulated them.

Item: This iCard is not that iCard

BRRD sent several questions about the incident to the PR agency that services the company. The answer came from the company “Aikart Credit” EAD. We asked why iCard initially denied the data leak after a hacking attack.

iCard AD denied that there was a data leak because it is a different company and it was not the target of the hacking attack and no data they administer was leaked. Aikart Credit LLC, which is a different company, was the target of the hacker attack. The two companies have different customers, activities, employees and should in no way be considered the same. – reads the answer.

This position is strange, because the domain where the business showcase and the hacked system are located is icard.bg, so the connection between the two companies is hard to deny. Moreover, the same persons are identified as the ultimate owners. The company through which control over Aykart AD and Aykart Credit EAD is exercised is the same –Intercapital Holding.

In addition, the leaked documents include hundreds of contracts and wire transfer orders signed by both Interkart Credit (formerly known as Aikart Credit) and Interkart Financial. The latter company has the same UIC number as Aikart SA, which is its successor. The names, SSNs and bank account numbers of hundreds of citizens are found in these documents.

“Aikart Credit” clarified that the data leak happened on 22 November and they have notified the CPML, the GDPR and other authorities within the statutory deadline. At the moment, it was being established exactly which persons were affected and exactly which personal data had been leaked, and those affected were being notified according to the law.

***

За да научавате преди всички за нови разследвания, инсталирайте си нашето мобилно приложение:

Щом сте стигнали дотук, вероятно вече си задавате въпроса как се финансира този журналистически проект.

От създаването си BIRD се финансираше от подаяния в нашето журналистическо чекмедже.
Но на чекмеджето му мина времето. Даже прокуратурата затвори онова Чекмедже, знаете кое…
Нашето финансиране влиза в крак с епохата. Фондонабиращата ни кампания вече се казва

#МятайСБЪРД

Дарявай за BIRD и мятай павета в блатото с корумпирани политици и други тарикати.
Те тайно премятат пари от твоя джоб в своя. Те размятат безнаказано лукса си пред очите на всички. Няма кой да ги накаже ако се надяваш на държавата.
Мятай, за да ги накажеш ти. Да дариш за разследващите журналисти е гаранция, че гадостите, с които силните на деня те замерят, ще им се върнат.
Можеш да метнеш веднъж, за да ти олекне!
Но по-добре е да мяташ редовно всеки месец и да се чувстваш трайно удовлетворен.
А най-добре е да доведеш приятели и да мятаме редовно заедно в екип. С мощен залп!
*За кръстник на новата ни фондонабираща кампания избрахме другарката Ваня. Благодарим й за вдъхновението!