Cyber Incident Victim: Iranian Civil Defense Agency
Date:
Nov 2019
Location:
Iran
Summary
A significant security breach exposed the details of 15 million Iranian bank debit cards following widespread protests, impacting three major financial institutions. While Iranian authorities attributed the incident to a disgruntled contractor attempting extortion, external cybersecurity experts assessed the scale and sophistication as indicative of state-sponsored activity aimed at destabilization. Compromised data—including account holder names and numbers, though not PINs—was disseminated via Telegram, prompting customer panic, operational disruptions, and reputational damage to the banks. The delayed official acknowledgment highlighted systemic vulnerabilities in the banking sector's cybersecurity infrastructure, exacerbating existing economic pressures.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
In November 2019, during widespread antigovernment protests in Iran that included the burning of approximately 730 bank branches, a significant cybersecurity breach exposed the details of 15 million Iranian bank debit cards. The data, belonging to customers of Iran’s three largest banks—Mellat, Tejarat, and Sarmayeh—began appearing on a Telegram channel called “Your banking cards” starting November 27. The channel operators claimed responsibility, linking the action to the protests with a message stating, “we will burn the reputation of their banks the same way we torched their banks.” They alleged they had attempted to extort the banks but received no response, prompting the data release. The leaked information included account holder names and account numbers, though PIN codes appeared obscured, along with instructions for creating homemade card forgeries using the compromised data. Iran’s government remained silent for nearly two weeks before Information Minister Mohammad Javad Azari Jahromi acknowledged the breach on December 10, attributing it to a disgruntled contractor with system access rather than a external hack.
The breach impacted approximately 20% of Iran’s population, causing widespread customer anxiety and operational disruptions. Iran’s cyberpolice issued email alerts titled “Your bank account is in danger of illegal usage,” instructing clients to visit branches and replace their cards, while the affected banks sent text message notifications. None of the three banks released public statements confirming the breach. Cybersecurity firm ClearSky assessed the attack required high technological capability consistent with state-sponsored actors, noting it damaged Iran’s financial transaction flow and bank reputations. The incident compounded economic strain from U.S. sanctions, which had previously targeted these banks for allegedly facilitating transactions for Iran’s Islamic Revolutionary Guards Corps. Analysts warned the breach could trigger long-term customer distrust and withdrawals. An Iranian legal group, the Citizenship Protection Foundation, offered free consultations to victims as intelligence agencies investigated. The breach followed a pattern of cyber hostilities between Iran and adversaries like the U.S. and Israel, including past Iranian attacks on American banks and a 2012 Iranian banking breach exposing three million accounts.