City Bank PLC data breach exposes client financial statements

The Bangladeshi private commercial bank, City Bank PLC, headquartered in Dhaka, has confirmed that sensitive client financial statements were exposed in a significant cybersecurity breach and sold on underground hacking forums. The incident, disclosed by the Bangladesh Cyber Security Intelligence (BCSI) in early 2025, has raised serious concerns about the state of cybersecurity within the country’s financial sector.

According to a blog post by BCSI, the breach was traced back to a vulnerability in the bank’s session management systems. Attackers exploited this flaw to bypass multi-factor authentication (MFA) protections, gaining unauthorized access to client account statements. BCSI noted that weak session token handling and improper invalidation of tokens allowed the attackers to access multiple accounts using previously authenticated sessions.

The vulnerability first surfaced in mid-2024 when BCSI researchers warned City Bank about potential exploitation risks in its systems. While the bank reportedly addressed these issues, the recent breach indicates insufficient measures.

In December 2024, BCSI was alerted by a CS-CERT contributor about a threat actor advertising City Bank’s client statements on underground forums. An investigation confirmed the legitimacy of the claims, and BCSI immediately notified the bank. By January 3, 2025, the issue was resolved.

City Bank’s Managing Director and CEO, Mashrur Arefin, confirmed the breach in a statement to The Daily Star. He detailed how attackers exploited a "system glitch" in the bank’s Statement Portal, a web platform that allows customers to download account statements using Two-Factor Authentication (2FA).

The glitch, which occurred on January 2, 2025, prevented the portal from sending One-Time Passwords (OTPs) to customers’ registered phone numbers, effectively nullifying the 2FA process. Hackers could then access statements of accounts whose numbers were already known to them.

In the official statement, Arefin emphasized that the breach was limited to viewing account statements and did not involve unauthorized transactions or other malicious activities.