InvestBank Says Leaked Data is From Old Breach

The hacker group that claimed responsibility for stealing and dumping 1.5 GB of data from the Qatar National Bank has now claimed responsibility for a 10 GB dump supposedly stolen from the Sharjah-based InvestBank. This was not unexpected, following hints last week that such a dump was imminent.

The group calling itself Bozkurt Hackers tweeted on 6 May, “Full DB + files from InvestBank UAE” along with a link. Although the shortened link in the tweet has been disabled (for violation of the URL shortening service’s terms and conditions) this was not before researchers got hold of the files. It primarily comprises spreadsheets, PDFs and image files in folders such as ‘Account Master’, ‘Customer Master’ and ‘Branch Master’. Another folder contains around 20,000 card details; and another contains thousands of individual bank statements.

However, there are serious doubts over whether this is indeed new data from a new breach. InvestBank has released a statement, “InvestBank would like to clarify that NO NEW data breach has occurred at the Bank. This is the same data that was stolen by the hackers last year and released again for unknown reasons/motives.” 

“At the moment, I would believe the bank,” F-Secure’s security advisor Sean Sullivan told SecurityWeek “This fake ‘Al Jazeera’ Twitter account is too eager to promote the ‘breach’. Such accounts are typically not a good sign that the dump contains new data.”

In December last year, Daily Dot reported that ‘Hacker Buba’ had attempted to extort $3 million from the same bank to prevent publication of stolen data. That data appears to have been even more extensive than the Bozkurt dump: “The actual data appears to be real,” reported Daily Dot at the time. “And it’s vast. One database analyzed by the Daily Dot includes the sensitive information of around 40,000 customers, including their full names, credit card numbers, and birthdays.”

A hacker by the name ‘Hacker Buba’ was attempting to sell this data via Twitter until late January. 

If, as currently seems likely, this new Bozkurt dump is old data, then it must also raise questions about the validity of the first Qatar National Bank dump. “The first person we saw to claim to have hacked [InvestBank] used the name ‘Hacker Buba’,” Mark Arena, CEO of Intel 471 told SecurityWeek. “The first claim appeared to include an effort to extort Invest Bank for Bitcoin. 

“Based on this,” he continued, “we believe it’s likely that both breaches were done by different people although we cannot be sure. Either way we don’t believe Bozkurt is linked to either incident and are republishing the data in an attempt to achieve online fame.”