MTBank: in the footsteps of Megaphone
No sooner had the news about the SMS, “leaked” to the free access from the Megaphone site, made noise, as a similar misfortune overtook one of the famous Belarusian banks.
Some time ago, a message appeared on twitter of a famous Belarusian photographer Anton Motolko that at www.mtb.by/data/anketa/po_domashnemu personal data of people who have submitted a loan application is available. A short tinkering showed that a lot of other information is available in the / data / directory on the server - from employee photos to credit applications (as suggested in comments and debit cards) with the mother's maiden name and other passport data.
According to rough estimates, the number of available questionnaires exceeds 5,000.
')
At the moment the addresses are already closed, but who knows how many copies have been made?
UPD: the official comment of the Bank has appeared . In short: the questionnaires were filled in not by the bank’s clients, but by those who want to become them, no one knows if they have become clients, therefore this information is not terrible to disclose. In addition, the passport data “leaked” from the server being outsourced from another company. Those who did become customers of the bank were apologized.
UPD2: The text of the official response from the management of MTBank:
“In the evening of August 10, 2011, information appeared about the technical failure on the bank’s website, as a result of which information on electronic applications about the possibility of obtaining bank services was temporarily available.
Official comment of the situation from the management of CJSC "MTBank":
This is not about the list of customers of MTBank, but about the list of individuals who applied to the website of MTBank with filling out directly on the website of electronic preliminary statements. From the contents of these statements, it is not possible to find out what the outcome of their consideration was and whether as a result applicants became clients of the bank or not, and even more to get information about the conditions of specific contracts concluded.
It is also important that this information became available not from the internal servers of the bank, where information about the customers is stored directly and which protection is provided in full, but from the external servers of the contracting company that provides hosting services for the Bank’s website. To date, experts have eliminated all the consequences of the failure and have prevented similar problems in the future, having deeply analyzed the circumstances of its occurrence. Currently, the site www.mtbank.by works as usual.
At the same time, MTBank fully shares the responsibility for the circumstances along with its partners and brings its sincere apologies to the Clients and Internet users for the inconvenience. The bank conducts an internal investigation, according to the results of which strict measures will be taken against those responsible. ”
Some time ago, a message appeared on twitter of a famous Belarusian photographer Anton Motolko that at www.mtb.by/data/anketa/po_domashnemu personal data of people who have submitted a loan application is available. A short tinkering showed that a lot of other information is available in the / data / directory on the server - from employee photos to credit applications (as suggested in comments and debit cards) with the mother's maiden name and other passport data.
According to rough estimates, the number of available questionnaires exceeds 5,000.
')
At the moment the addresses are already closed, but who knows how many copies have been made?
UPD: the official comment of the Bank has appeared . In short: the questionnaires were filled in not by the bank’s clients, but by those who want to become them, no one knows if they have become clients, therefore this information is not terrible to disclose. In addition, the passport data “leaked” from the server being outsourced from another company. Those who did become customers of the bank were apologized.
UPD2: The text of the official response from the management of MTBank:
“In the evening of August 10, 2011, information appeared about the technical failure on the bank’s website, as a result of which information on electronic applications about the possibility of obtaining bank services was temporarily available.
Official comment of the situation from the management of CJSC "MTBank":
This is not about the list of customers of MTBank, but about the list of individuals who applied to the website of MTBank with filling out directly on the website of electronic preliminary statements. From the contents of these statements, it is not possible to find out what the outcome of their consideration was and whether as a result applicants became clients of the bank or not, and even more to get information about the conditions of specific contracts concluded.
It is also important that this information became available not from the internal servers of the bank, where information about the customers is stored directly and which protection is provided in full, but from the external servers of the contracting company that provides hosting services for the Bank’s website. To date, experts have eliminated all the consequences of the failure and have prevented similar problems in the future, having deeply analyzed the circumstances of its occurrence. Currently, the site www.mtbank.by works as usual.
At the same time, MTBank fully shares the responsibility for the circumstances along with its partners and brings its sincere apologies to the Clients and Internet users for the inconvenience. The bank conducts an internal investigation, according to the results of which strict measures will be taken against those responsible. ”
Source: https://habr.com/ru/post/126056/
All Articles