Update (May 25 at 7:45 p.m.):
Banco de Costa Rica (BCR) has now confirmed that a file leaked by ransomware group Maze contains personal credit and debit card information.
In an interview with La Nación, representatives from the state-owned bank said the leaked file doesn’t contain “the complete information necessary to perpetrate fraud.”
BCR says some 70% of the credit and debit cards published by Maze were already inactive, while the owners of the remaining 30% have been contacted and new cards issued.
“The bank takes responsibility for all its systems and, in case a person is affected by this situation, the bank will refund (the money) immediately,” Douglas Soto, BCR general manager, told La Nación.
“To date, no one has been affected.”
The file released by Maze, which has been reviewed by The Tico Times, contains some 6 million lines of apparent transactions from early 2018.
Maze has threatened to release similar batches of information each week.
To report a potential fraud, BCR customers should contact the bank immediately at +506 2211-1111.
Our original story follows:
Ransomware group Maze says it has gained access to personal financial information from the Banco de Costa Rica (BCR), though the state-owned institution has denied the existence of a data breach.
Maze claims to have compromised BCR’s systems beginning in 2019 and has threatened to publish credit card information online.
The ransomware group apparently released a batch of that data on May 21 and says it will leak more information each week. The Tico Times cannot verify the authenticity of the data.
“What exists is a database which the Maze hacker group indicates are card numbers stolen from the BCR,” said Costa Rican cybersecurity group ATTI CYBER, responding to an inquiry from The Tico Times.
“We cannot confirm or deny that there was a violation, but within the data published by Maze, there are apparent matches with real cards.”
BCR denies data breach
In a post shared on its social media pages and emailed to clients, Banco de Costa Rica said it has “not found evidence” that sensitive information has been compromised.
“BCR informs its clients and the general public that, once again on diverse media platforms, especially on social media, messages of extortion supposedly released by cybercriminals and related with a possible violation in the security systems of the bank have been circulated,” the bank said.
“After multiple analyses realized by internal and external specialists in information security, we have not found evidence that confirms that our systems have been compromised.
“The permanent monitoring of our clients’ transactions confirms that none have been affected.”
What should you do?
The first step to take after a potential data breach is to “confirm there was a breach at the company and find out if your information or online account was accessed,” according to security company Norton.
At the time of publication, BCR says it has found no evidence that its systems were compromised.
However, BCR customers in particular should remain vigilant of their accounts and immediately report possible fraud if you suspect unusual activity. (BCR says that you must file a report within 24 hours of the incident having occurred.)
To report a potential fraud, call BCR at +506 2211-1111.
BCR also handles non-urgent questions via WhatsApp (+506 2211-1135), an online chat platform and via email at CentroAsistenciaBCR@bancobcr.com.