Major Data Breach At City Bank, Client Financial Statements Sold On Hidden Networks2 min read
In a grave cybersecurity incident, City Bank, one of Bangladesh’s leading financial institutions, has suffered a breach exposing sensitive client financial statements. These confidential records were reportedly sold on underground hacking forums, as revealed by the Bangladesh Cyber Security Intelligence (BCSI) reportedly.
The breach, confirmed in early 2025, raises critical concerns about the resilience of cybersecurity measures within the country’s banking sector. According to BCSI, the vulnerability that led to the breach was resolved by January 3, 2025, but questions linger about why the bank’s defenses failed.
Read more: Bangladesh Bank Finds Tk 82.44 Lakh Mismatch In BRAC Bank Vault Records
BCSI had previously flagged weaknesses in City Bank’s systems back in mid-2024. At the time, experts demonstrated how attackers could exploit these flaws to withdraw funds and access sensitive data. While City Bank claimed to have addressed these vulnerabilities, the latest breach indicates that these measures fell short.
The first indication of this breach emerged in December 2024, when a contributor to CS-CERT alerted BCSI about a threat actor selling City Bank’s client financial statements on underground forums. An investigation confirmed the alarming legitimacy of the claims, uncovering a technical flaw in session management as the root cause.
BCSI’s investigation revealed that the attackers bypassed inadequate multi-factor authentication (MFA) and exploited weak session handling.
The breach was enabled by:
- Reused Sessions: Attackers exploited previously authenticated sessions to access unauthorized accounts. Utilizing the flaws in technical aspects of managing sessions.
- Faulty Session Tokens: Failure to properly invalidate session tokens allowed continuous access to other accounts, giving attackers a gateway to sensitive client data.
This glaring oversight exposed critical gaps in City Bank’s cybersecurity framework, allowing attackers to retrieve sensitive financial statements undetected.
The incident states a broader cybersecurity crisis in Bangladesh’s financial sector. BCSI’s 2024 report, “Financial Threat Assessment 2024: National Security is at Risk,” criticized outdated penetration testing methods widely employed by financial institutions. These antiquated practices often fail to identify and mitigate advanced vulnerabilities, leaving banks vulnerable to sophisticated cyberattacks.
BCSI has urged immediate reforms, calling for:
- Robust access controls.
- Advanced data protection measures.
- Comprehensive network security protocols.
- Employee training in cybersecurity best practices.
- Strict adherence to international compliance standards.
City Bank has yet to release an official statement regarding the breach. The institution’s silence has only deepened concerns among clients and industry observers about the adequacy of its security measures and its ability to handle such crises.
As the financial sector grapples with rising cyber threats, the City Bank breach serves as a stark warning; robust cybersecurity is not optional, it is an absolute necessity.
For more updates, be with Markedium.