Banks’ customer data leaked
Credential and customer records from regional banks appeared for sale: creditor and staff data linked to Kasikornbank branches in Cambodia, Myanmar and Laos was reported stolen and listed on the dark web, and German banks had IBANs and names leaked online. The disclosures emphasise exposed identifiers that can be reused for account takeover and synthetic‑identity enrichment. (x.com, x.com)
Customer and staff data tied to regional bank operations has surfaced in criminal markets, exposing identifiers that can be reused in fraud and account takeovers. (darkwebinformer.com) Kasikornbank lists overseas operations in Cambodia, Myanmar and Laos on its own network pages, and threat-intelligence posts reviewed this month described data linked to those markets as being offered for sale. KBank’s public materials also say it runs data-governance and privacy controls across the group. (kasikornbank.com, kasikornbank.com.la, kasikornbank.com) In Germany, the leaked fields highlighted online were names and International Bank Account Numbers, or IBANs, the standardized account numbers used for domestic and cross-border transfers. German IBANs are 22 characters long and are mandatory for transfers. (iban.com) An IBAN and a name are not enough by themselves to empty an account, but they are enough to make phishing messages, fake invoices and payment-redirection scams look more convincing. Kasikornbank’s own anti-phishing guidance warns that attackers use stolen banking details and one-time passwords to get into online banking and move money. (kasikornbank.com) European banks have spent the past year adding a “Verification of Payee” check that compares the recipient’s name with the IBAN before a transfer is approved. The European Payments Council put that rulebook into force on October 5, 2025, and euro-area payment providers faced the new obligation from October 9, 2025. (europeanpaymentscouncil.eu, ecb.europa.eu) German consumer groups say the new name-and-IBAN check was meant to close a gap that fraudsters had exploited by swapping account numbers while leaving a familiar payee name in place. That means leaked German banking identifiers now collide with a system designed to test whether payment details match. (verbraucherzentrale.de, vzhh.de) The Southeast Asian angle lands in a region already under pressure over industrialized cybercrime. A United Nations-backed crisis described by Forbes in February centered on scam compounds in Myanmar, Cambodia and Laos that run bank-impersonation and investment fraud at scale. (forbes.com) Kasikornbank’s latest public governance page says the bank reports major conduct breaches internally, and its 2025 summary said none of the important cases involved customer privacy violations. No public breach notice matching the alleged Cambodia, Myanmar or Laos exposure was readily visible in the bank’s investor-disclosure pages reviewed Monday. (kasikornbank.com, kasikornbank.com, kasikornbank.com) What appears online next matters as much as what was first posted for sale: reused passwords can be reset, but names, account numbers, employer details and identity numbers can keep circulating long after a listing disappears. (darkwebinformer.com, kasikornbank.com)
