City Bank PLC has already fixed the issue and declared that the hacker was unable to carry out any transactions or other unauthorized actions.According to a recent blog post by the Bangladesh Cyber Security Intelligence (BCSI), City Bank PLC was involved in a cybersecurity breach in which private client financial information was made public and sold on underground hacking forums. The incident was confirmed by CSI in early 2025, which raises serious concerns about the cybersecurity situation in the country’s financial institutions. After learning of the incident, BCSI alerted City Bank, which promptly fixed the vulnerability. By January 3, 2025, the problem was fixed.
BCSI had previously alerted City Bank about system vulnerabilities and possible exploitation risks in the middle of 2024. Researchers showed how hackers may obtain private data and take money from clients. According to BCSI’s blog, City Bank allegedly resolved the immediate problems, but later developments indicate these actions were insufficient.
A CS-CERT contributor warned BCSI in December 2024 about a threat actor selling City Bank’s customer statements on underground forums. An examination found a flaw that permitted unauthorized access to client statements, confirming the veracity of these assertions.
BCSI claims that technical shortcomings in session management enabled the hack. Because of poor session handling, attackers were able to get around weak multi-factor authentication (MFA). Previously authenticated sessions could be used to access other accounts after logging in.Mashrur Arefin, the MD and CEO of City Bank, confirmed the breach in an official statement .
With the use of a One-Time Password (OTP) and Two-Factor Authentication (2FA), City Bank offers a web gateway through which users can download their account statements. According to the statement, this link, known as the “Statement Portal,” is only used to generate account statements.
According to the official statement, “a system ‘glitch’ occurred on January 2, 2025, allowing a hacker to get past the 2FA process and access other customers’ account statements.” Because the hacker could only access accounts whose numbers he knew, there were few account statements acquired in this manner. But because of a bug, the system was unable to deliver OTPs to the registered phone numbers of the account holders, which allowed the hacker to access the statement or statements without authorization.
“This vulnerability solely affected the ability to see account statements. That is, according to a statement from City Bank, the hacker was unable to carry out any transactions or other unauthorized actions. The statement claims that City Bank has addressed the issue promptly, with their computer security team reviewing the portal’s environment, terminating all circumvented sessions, and rescinding all access. To supervise additional actions, the bank also sent out a specialized real-time monitoring team.
“To ensure such incidents do not recur, the IT team, through its developer wing, has already implemented robust measures to prevent similar vulnerabilities in our portals. Also our Security Operations Center (SOC) team has enhanced its 24/7 monitoring capabilities. With full assurance we can inform our customers that such incidents will not take place again,” mentioned City bank in their official statement regarding the issue.
Before City Bank could submit their official statement on the matter, an earlier version of the story was published. Since then, the story has been revised and reprinted to include City Bank’s statement.
Source: The Daily Star