The National Credit Information Center (CIC) of Vietnam has been targeted in a cyberattack by the notorious hacking group ShinyHunters, leading to the theft of personal data. The Vietnam Cyber Emergency Response Team (VNCERT) has confirmed that its investigation shows signs of unauthorized access, and samples of the leaked data have already been acquired by a cybersecurity firm. These samples indicate that a wide range of financial institutions in Vietnam, including VietCredit, MB Bank, Agribank, and Sacombank, have been affected. The attackers reportedly exploited an “n-day” vulnerability—a known but unpatched flaw—in end-of-life software used by the CIC, leaving the system vulnerable because no security patches were available.
ShinyHunters, one of the most prolific cybercriminal groups of the past five years, has been responsible for numerous high-profile data breaches impacting millions of users and major corporations worldwide. Rather than extorting the CIC, the group chose to list the stolen data for sale on a hacking forum on the dark web, providing a large sample as proof. Their victims have included Microsoft’s GitHub, AT&T, Ticketmaster, and Santander. The group’s operations have evolved from simple database thefts to more sophisticated attacks involving social engineering and cloud platforms.
The CIC was a prime target for this attack because it acts as a central hub for Vietnam’s credit data, creating a single point of failure that could affect a significant portion of the population. Cybersecurity experts warn that such incidents can have serious repercussions, including an increased risk of identity theft, financial fraud, and systemic instability. In response, Vietnamese law enforcement and data protection regulators have initiated a formal investigation to determine the full extent of the breach. The Department of Cybersecurity of Vietnam, along with major state-owned technology partners, was mobilized to assess the scope of the incident and identify vulnerabilities.
The State Bank of Vietnam (SBV) has issued a statement to reassure the public that commercial banks’ IT systems remain secure. The SBV confirmed that the data collected by the CIC does not include sensitive financial information like bank account numbers, balances, or debit and credit card details. While this is reassuring, other forms of personally identifiable information, such as contact details and references to financial institutions, were likely compromised and could be used by fraudsters. VNCERT has also issued a warning, urging people not to download or share the leaked data, reminding them that doing so is a violation of the country’s data protection laws.
Despite these assurances, the incident has raised concerns about the broader cybersecurity landscape in Vietnam. Investment bank JPMorgan noted that the breach could lead to higher costs for banks as they work to improve their security measures and could also pose a risk to deposit flows. While JPMorgan maintained its investment recommendation for Vietnamese banks, the incident highlights the ongoing threat posed by cybercriminals and the need for robust, proactive security measures to protect critical financial infrastructure and public data.
Reference:
