Sberbank customers could have had their personal data leaked by an insider, in what may be the largest bank data breach of its kind in the country’s history.

Analysts from security company DeviceLock reportedly found personal information relating to as many as 60 million Sberbank credit card holders for sale, stemming from a leak dated 24 August 2019.

The analysts managed to get hold of 200 sets of data from the seller for testing and confirmed them to be authentic before warning the bank.

In a statement posted online, Sberbank stated that it was investigating the potential leak: “An internal investigation is underway. Its results will be unveiled in a separate statement.

“A criminal wrongdoing of an employee is the primary lead, as no breach could have occurred from the outside – the database is isolated and has no outer network access.”

So far the bank has only confirmed the 200 data sets provided by DeviceLock as legitimate.

Sberbank has around 18 million active credit card accounts, meaning that a bulk of the data could come from closed or defunct accounts.

Russian newspaper Kommersant further verified the black market data by finding the details of its own journalists in the database.

The data set is divided into 11 parts, and each line is being sold for five rubles (eight cents).

Sberbank told Kommersant that the data did not contain the CVV codes on any of the cards, and that customers would not be at risk of payment fraud.

Now read: DSK Bank fined for data breach affecting 33,000 customers