In this week’s digest, we look at two major cybersecurity developments. In Vietnam, criminals claim to have stolen 160 million records from the National Credit Information Center, the government’s central database for financial and credit information. Meanwhile, Morocco’s National Social Security Fund has launched a $4 million tender to strengthen its defenses following recent data breaches.

A major security incident affected the National Credit Information Center (CIC) in Vietnam. Criminals have claimed to steal 160 million records from the government-owned organization. If the rumors are true, the breach could have a large-scale impact on Vietnamese people. Firstly, the number of records exceeds the total population, signaling that the dataset possibly contains multiple records per individual. Secondly, the CIC serves as the country’s central repository of credit data. The incident may therefore have nationwide repercussions.

The National Credit Information Center is a government-owned database that collects and processes credit information from banks, financial institutions, insurance companies, and other financial services. As the data aggregator, the CIC collects such records as loan amounts, repayment histories, and personal identification details, which are used for assessing credit risks, making lending decisions, and other financial operations within Vietnam’s financial system.

According to descriptions from the attackers, the breach reportedly includes:

• Personally identifiable information (PII)
• Credit payment histories and risk analysis data
• Credit card details (some encrypted)
• Military, government, and tax IDs
• Income statements, debt records, and employment information
• Banking details and contact information

Criminals had published a sample of data, which has mentions of several major Vietnamese banks such as VietCredit, MB Bank, Ocean Bank, VPBank, Sacombank, and Agribank. However, none of the mentioned institutions have confirmed the incident. Journalists contacted several individuals whose personal identifiable information was mentioned in the leak. The individuals confirmed the authenticity of records.

The data breach could have lasting implications given criminals can use the stolen data to carry out further offenses, such as phishing, social engineering attacks, and identity theft. Stolen data pose a long-term threat because personal information remains valid for a long time.

Morocco has learned a hard lesson about the importance of effective information protection after falling victim to a major data breach. The story began in April 2025, when the National Social Security Fund was targeted in a cyberattack. Up to four million people may have been impacted, according to early reports. In contrast, more recent estimates indicate that sensitive data from 500,000 companies and two million employees was exposed. This breach has contributed to a staggering 312% increase in the volume of leaked data linked to Moroccan organizations.

Concerns grew further in September with rumors of a second cyberattack on CNSS, reportedly more severe than the first. Some sources claim it compromised family records and personal documents, though CNSS representatives have neither confirmed nor denied these reports.

In September, the National Social Security Fund launched an international tender worth $4 million to enhance its cybersecurity posture. The tender is focused on acquiring necessary technical expertise, advanced technical solutions, and the implementation of security systems in accordance with Law 09-08 on the protection of personal data. The aim of the tender is to supply the CNSS with organizational and logistical measures sufficient to ensure data confidentiality and reliability.

The specifications impose strict requirements: destruction of files after the execution of contracts, prohibition of any unauthorized use of data, and the establishment of performance indicators to measure the effectiveness of the devices.

This development highlights the simple truth that sufficient security measures should be implemented preemptively, not after the damage has been caused. Exposure of confidential data, especially personally identifiable records, has a lasting effect, as it can’t be changed as easily as credentials. Organizations must not overlook regulatory standards, as strict compliance is key to ensuring a strong level of data protection. Beyond legal requirements, safeguarding data is also essential for maintaining customer trust and protecting valuable trade secrets.

The traditional in-house model of information security is not always the best choice for many companies, as it demands significant financial and human resources. This challenge is especially acute for small- and medium-sized businesses. Yet, in today’s environment of stricter data protection regulations and rapid digitalization, ensuring reliable and efficient protection of confidential data has become essential.

To address these challenges, SearchInform developed the Managed Security Service. The subscription-based model saves expenses and provides a comprehensive package of security solutions and specialized expertise. SearchInform combines deep knowledge from developers with efficient protection of corporate assets.

For new clients, we offer a free 30-day security audit with a provided report on detected incidents. This audit provides deep insights into security threats, potential cases of corporate fraud, and inefficient business practices during working hours.It helps you determine whether the service truly meets the needs of your organization.