The revenge of a bank employee and a fine of 74,400 dollars for a human error

Today, we're going to examine two recent data leak incidents caused by employees.

In Jakarta, a man was charged with selling financial information on his former employer’s clients on a DarkNet forum. The incident came to light in July 2020 after one of the employees of the BCA bank received a complaint from a customer.

The data on 20,000 people on sale included:

  • Online banking account numbers
  • Mobile numbers 
  • Transaction information on those accounts.

The data was posted from the account of a breachforum member known by the nickname KillTheBank. After an investigation, the police officers managed to identify the culprit. The person in question is a 28-year-old resident of Tebet, South Jakarta. He was an employee of the online lending platform of BCA bank from 2017 to 2020, and allegedly stole the data.

According to the police investigating the case, the motive for selling confidential data was personal gain and a desire to get back at his superiors. The amount earned by the suspect is unknown. He currently faces more than five years in prison and a fine.

The second incident was also a data leak, but unlike the first one, it was not  deliberate . The data on more than 1.4 million users was stolen because an employee accidentally saved the key’s software code in a GitHub repository. The incident happened with the cashback platform ShopBack. Two days after the key was added to the repository, a team member discovered the mistake and removed the key. However,  it could still be seen through the commit history in GitHub.

The access key in question granted all administrative privileges. As a result, the attacker discovered the key and used it to gain access to ShopBack's customer storage servers.

The data, offered for sale on an online forum included:

  • More than 1.4 million email addresses
  • 840,000 names
  • 450,000 mobile phone numbers
  • 300,000 bank account numbers
  • Partial information on 380,000 credit cards.

ShopBack was fined $74,400 by Singapore's data protection watchdog in connection with the incident.

Unfortunately, data leaks caused by employees are not uncommon, We often report on similar incidents, including Sabotage of a water treatment facility and data theft by an employee in Central Florida.

Subscribe to get helpful articles and white papers. We discuss industry trends and give advice on how to deal with data leaks and cyberincidents.