Cyber Incident Victim: Iran
Date:
Nov 2019
Location:
Iran
Summary
A major security breach exposed millions of Iranian bank accounts following protests, with details of 15 million debit cards leaked online, impacting customers of three sanctioned banks. Iranian officials attributed the incident to a disgruntled contractor, while external cybersecurity experts suggested state-sponsored involvement due to the attack's sophistication. The leaked data, published via Telegram, included account holders' names and numbers, prompting customer panic and potential long-term reputational damage to the financial institutions. This incident occurred amid ongoing cyber hostilities between Iran and adversarial nations, exacerbating existing economic challenges from sanctions and domestic unrest.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 2 techniques |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
In November 2019, during widespread antigovernment protests across Iran, demonstrators set fire to approximately 730 bank branches. Shortly after these physical attacks, a digital breach emerged that exposed the personal banking information of millions of Iranians. On November 27, details of debit card accounts began appearing on a Telegram channel called "Your banking cards," escalating over subsequent days until 15 million bank card records were published by December 10. The breach primarily affected customers of Iran's three largest banks—Mellat, Tejarat, and Sarmayeh—all previously sanctioned by the U.S. Treasury for alleged financial ties to Iran's Islamic Revolutionary Guards Corps. The leaked data included account holder names and account numbers, though PIN codes appeared obscured, alongside instructions for creating counterfeit cards using the compromised information. Telegram messages from the perpetrators claimed they had attempted to extort the banks before releasing the data, stating their intent to "burn the reputation of their banks" in retaliation for being ignored.
Iran's Information Minister Mohammad Javad Azari Jahromi attributed the breach to a disgruntled contractor with system access, denying any external hacking of banking computers. However, cybersecurity firm ClearSky assessed the attack's scale and sophistication indicated state-sponsored involvement, noting such capabilities typically reside with intelligence services. The Iranian government delayed public acknowledgment for nearly two weeks, with banks issuing no formal statements despite sending customers text alerts and emails titled "Your bank account is in danger of illegal usage," instructing them to replace cards at branches. The breach impacted approximately 20% of Iran's population, exacerbating economic instability from U.S. sanctions and eroding public trust in financial institutions. An Iranian legal group, the Citizenship Protection Foundation, offered free consultations to affected customers while intelligence agencies investigated. ClearSky warned Israeli credit firms on December 3 to prepare for potential retaliatory cyberattacks if Iran attributed the breach to foreign adversaries. This incident followed a 2012 hack exposing three million Iranian bank accounts and occurred amid a longstanding cyber conflict between Iran and the U.S.-Israel alliance, including past Iranian attacks on American banks and U.S. military authorization for preemptive cyber operations against Iranian targets.