Two fresh banking data leaks surfaced
Security researchers say a Kasikornbank data dump dating from January 2026 is being sold on dark-web forums and, separately, a trove of 300,000 Belgian citizens’ records — including SSNs and IBANs — has been listed for bulk sale by a known actor. The Kasikornbank listing includes customer names, dates of birth and financial details, while the Belgian leak reportedly contains payroll and family data, implying a compromise of banking or social-security systems (x.com) (x.com).
Two new alleged banking-related data leaks are being marketed on cybercrime forums, one tied to Kasikornbank and another affecting about 300,000 people in Belgium. (darkwebinformer.com) (tornews.com) The Belgian listing says a seller using the name “kuna” is offering records with Social Security numbers, International Bank Account Numbers, salary data, disability status and family details for roughly 300,000 citizens. (tornews.com) Separate dark-web reporting around Kasikornbank points to customer identity and financial records being circulated, while another April 2026 post tied to KBank Vietnam described a much larger February 2026 extraction of 10,152,989 credit-registration records. (darkwebinformer.com) (leakradar.io) A leak post is not the same as a confirmed breach. Cybercrime forums often mix authentic stolen data, recycled datasets and exaggerated claims, and banks or public agencies sometimes need days to verify whether samples are current and complete. (european-data-protection-board.europa.eu) (brightdefense.com) The records described in the Belgian case are the kind criminals use for targeted fraud. An International Bank Account Number can help fake payment requests look real, and payroll or family fields can make phishing messages harder to spot. (tornews.com) (socradar.io) In Europe, organizations that become aware of a personal-data breach generally must notify the relevant regulator within 72 hours if the incident poses a risk to people, and must also inform affected individuals if the risk is high. (european-data-protection-board.europa.eu 1) (european-data-protection-board.europa.eu 2) Belgium’s Data Protection Authority operates the breach-notification process, while the Financial Services and Markets Authority handles consumer warnings and complaints in the financial sector. (dataprotectionauthority.be) (fsma.be) Kasikornbank says on its investor-relations materials that it gives priority to privacy and applies personal-data protection measures, but public confirmation of the specific January 2026 leak claim was not available in the sources reviewed. (kasikornbank.com) (darkwebinformer.com) What happens next is usually quiet at first: sample verification, regulator notices, internal forensics and, if the data is real, a race to warn customers before the records are copied and resold again. (european-data-protection-board.europa.eu) (nudge.security)
