US-based cyber security website databreachtoday.com says in a report that the stolen data was ‘apparently posted online’ on May 10 by the group Bozkurtlar.

The Bangladeshi banks whose data have been stolen are Dutch-Bangla Bank, The City Bank, and Trust Bank run by Army Welfare Trust.

Sanima Bank and Business Universal Development (BUD) Bank are the two Nepalese banks that came under cyber attacks.

According to the report, the same hacking group recently leaked data tied to Qatar National Bank and UAE's InvestBank.

databreachtoday.com says it contacted the five South Asian banks to talk about the data hacking but they did not respond.

bdnews24.com also tried to reach officials of the three Bangladeshi banks but failed as Friday was an weekend holiday.

Links to the file archives containing data from the five banks have been posted from a Twitter account supposedly operated by Bozkurtlar or ‘Grey Wolves’.

The databreachtoday.com report says the group appears to be making good on their threat to release data of more Asian banks, an indication that more such disclosures may be expected in the region.

Analysing the data

Quoting several security experts who have been following Bozkurtlar, the report says the data in the newest leak appears genuine, but the volume of data from them is smaller than the QNB and InvestBank dumps.

The file archives posted were 11.2 MB from The City Bank, 312 KB from Dutch Bangla Bank, 95 KB from Trust Bank, and 251 MB and 47 MB from for BUD Bank and Sanima Bank respectively.

The report says the scope of the data varies widely and that each of the zip files contains at least some customer information or account credentials.

Quoting security engineer Omar Benbouazza, databreachtoday.com says his analysis of the data points to a webshell upload being used at Sanima Bank and Dutch Bangla Bank, as was the case of the Qatar National Bank.

A webshell is a piece of code uploaded to a server or computer, allowing attackers to gain access, escalate privileges as admin/root and control the entire system.

A researcher wishing anonymity says that the latest postings do not seem as significant as the previous two disclosures, but there are still elements that should be of concern.

No credit card numbers are present in the latest data dump, unlike the QNB and InvestBank leaks, the report says quoting him.

Taking each of the bank's data individually, attempts have been made to verify the authenticity, it says.

Dutch Bangla Bank

The Dutch Bangla Bank archive appears to contain records of customer banking transactions - either physical or internet banking. The researcher says that using admin credentials found in clear text in the dump, he was able to gain access from the public internet to the bank's ATM transaction analyser for research purposes.

The username/password appears to be very simple or default, he explains. "The website of Dutch Bangla bank appears to contain vulnerabilities and could have been the point of penetration to the internal servers or files," the report quotes him as saying.

Trust Bank

databreachtoday.com says the Trust Bank archive contains two spreadsheets that, among other things, contain user ID, email, username and encrypted passwords. The latest file is from June 2015.

The City Bank

The report says The City Bank dump has a single spreadsheet, which appears to contain the personal information of at least 1 million bank customers.

Details include full name, father's name, mother’s name, date of birth, age, mailing address, contact number, permanent address and email. The most recent data is from August 2015.

Several months ago, a group of forgers withdrew Tk 2.06 million from the accounts of different customers by cloning their bank cards after stealing information through skimming devices at ATM booths.

Police arrested foreign national Piotr Szcdepan Mazurek for his involvement in the forgery after seeing CCTV footage of several ATM booths.

Four officers of The City Bank were also arrested over their alleged involvement in it.

In February this year, hackers transferred $81 million from Bangladesh central bank’s forex reserve account in the US to several accounts in the Philippines, in the world’s one of the largest cyber heist.