Cyber Incident Victim: Banco BCR

In August 2019, operators of the Maze Ransomware allegedly infiltrated the network of Banco BCR, Costa Rica's state-owned bank, but chose not to deploy encryption due to concerns over the potential scale of damage. The attackers claimed the bank failed to remediate security vulnerabilities, enabling them to regain network access in February 2020. During this second intrusion, Maze exfiltrated multiple years of data, including 11 million credit card credentials. The stolen dataset purportedly contained 4 million unique credit cards, with approximately 140,000 belonging to U.S. citizens. Attackers publicly disclosed partial card details—including redacted numbers, expiration dates, and CVC codes—for 240 accounts as evidence of compromise. Maze representatives stated they refrained from encrypting systems during the 2020 breach due to ethical considerations amid the global pandemic.

The ransomware group attempted to contact Banco BCR multiple times with unspecified ransom demands, threatening to sell the data on dark web markets if negotiations failed. Maze framed their actions as a service exposing security deficiencies, asserting their intrusion demonstrated how "half a bank could be pulled out" through systemic vulnerabilities. Banco BCR did not publicly acknowledge the incident or respond to media inquiries from BleepingComputer regarding the alleged breach. Financial impact estimates and details about affected internal systems remained undisclosed by both the attackers and the bank. Customers were advised by third parties to monitor accounts for fraudulent activity, though no official bank communications were referenced in available reports. The incident highlighted Maze's pattern of targeting high-profile organizations, following previous attacks against Cognizant, Chubb, and Hammersmith Medicines Research LTD.