What do VPBank and 9Pay say about the cyber security incident that occurred at CIC?

On the afternoon of September 12, Vietnam Prosperity Joint Stock Commercial Bank ( VPBank ) issued a notice regarding a cyber security incident that occurred at the Vietnam National Credit Information Center (CIC).

Previously, the Vietnam Cyber ​​Emergency Response Center (VNCERT) announced initial results showing signs of personal data breaches.

According to VPBank, the reporting of data to CIC is carried out by banks, including VPBank, in accordance with the regulations of the State Bank. The bank affirmed that some important customer information is not sent to the CIC system but is kept confidential at VPBank.

This data includes electronic banking system login information (username, password, biometric data); debit and credit card information (card number, CVV/CCC code).

VPBank's announcement said that the bank's e-banking system meets international security standards such as ISO 27001 and PCI DSS. Transactions are protected through multiple layers, including biometric authentication, OTP and SmartOTP.

According to VPBank, OTP/SmartOTP codes are one-time data, are not stored, and can only be disclosed in case the customer directly shares them or the device is taken over.

Currently, the Department of Cyber ​​Security and High-Tech Crime Prevention (A05) together with functional units of the State Bank and cyber security enterprises are coordinating to deploy technical and professional measures to respond, verify and ensure system safety.

VPBank recommends that customers follow information from official sources, avoid panic and be alert to scams taking advantage of the incident. The bank emphasizes that criminals cannot directly appropriate assets from this incident, but can use the information to spread malware and create fake scenarios.

Therefore, customers should not install applications from unofficial sources and absolutely do not provide OTP/SmartOTP codes to anyone, including people claiming to be bank employees.

Also related to this incident, 9Pay Company also confirmed that it did not share or transmit any data of 9Pay and 9Pay customers to CIC. Therefore, all personal information, card information and transaction data of customers using 9Pay services were not affected by the above incident.

This unit affirmed that the 9Pay system has been applying strict security measures, including: Always complying with information data protection laws and having PCI DSS standards to ensure card information security according to regulations of the State Bank; encrypting all payment information and personal identification; quarterly periodic assessment and review process; being independently assessed by international organizations every year.

In particular, 9Pay has been granted PCI DSS level 1 certification - the highest and most stringent level of the Payment Card Industry Data Security Standard, ensuring that all transactions through the 9Pay payment gateway comply with international security standards. As a fintech specializing in digital payment platforms, 9Pay is serving hundreds of thousands of customers and transactions every day. Aware of the importance of payment data security, 9Pay always proactively reviews all activities of storing, transmitting, protecting and using personal data throughout the process of operating products and services./.

Source: https://www.vietnamplus.vn/vpbank-9pay-noi-gi-ve-su-co-an-ninh-mang-xay-ra-tai-cic-post1061509.vnp