Thursday, April 8, 2010

German Government Pays Hacker For Stolen Bank Account Data

By Ryan Barnett 04/08/2010

The latest entry to the WASC Web Hacking Incident Database (WHID) is pretty interesting (below). The attack method is currently unknown (most likely candidate is SQL Injection due to bulk extraction of account holder data) however this story is a really good discussion topic and is why it is being included in WHID at this time.


The short of it is that someone hacked into some banks in Germany and Switzerland and stole account data about customers. Many of the banks are used as havens for people to hide their money for tax evasion purposes. The banks identified that this happened and did not notify their customers that their data was stolen. Well, the attacker decided to sell the stolen account data to the German government who then used the data to track down the account holders who were hiding money. The German government is now seeking back taxes and penalties against the account holders. The final piece of the story that is interesting is that one account holder ended up suing (and won by the way) the Bank for not notifying him about the stolen data with the rationale being that if he had known then he could have come forward to the German government and avoided additional penalties during the grace period.


All I can say is WOW. All four players in this story (the account holder, the bank, the attacker and the German government) *all* have dirty hands... It will be interesting to see what plays out in the future and if other Governments adopt a similar philosophy of paying for stolen data.


Entry Title: WHID 2010-64: Taxman rakes in hundreds of millions thanks to stolen bank data

WHID ID: 2010-64

Date Occurred: April 7, 2010

Attack Method: Unknown

Outcome: Monetary Loss

Incident Description: A fascinating story about how the German government has decided to buy stolen bank data in order to go after German citizens who have not paid taxes on their hidden accounts.

An interesting twist in another case involving LGT Treuhand, a Bad Homburg business man won millions in damages in a suit against the bank for failing to reveal that his information was stolen along with hundreds of other account holders and sold to German authorities for a criminal investigation. He argued that if the bank had informed those on the list that their data had been sold, they could have turned themselves in, receiving temporary amnesty and much lower fines.

Attack Source Geography:

Attacked Entity Field: Finance

Attacked Entity Geography: Germany

Reference: http://www.thelocal.de/article.php?ID=26381


Update - Apparently, the attacker in this case was a former employee and stole the account data by burning them to CDs.

2 comments:

sam280 said...

Hrm, thanks but there's already a complete article in wikipedia about this incident:
http://en.wikipedia.org/wiki/2008_Liechtenstein_tax_affair

The "hacker" is named Heinrich Kieber and the "hacking method" is "being an LGT employee".

For a similar, more recent story between France and Switzerland,
see http://www.cbsnews.com/stories/2010/03/11/business/main6288337.shtml

Same hacking method.

Bipin said...

This raises the big question about privacy of customer in my point of view.
I think the more better solution that German government should follow is to contact directly to bank. Though there may be other concerns to this solution.