Maze ransomware operators have published credit card data stolen from the Bank of Costa Rica (BCR). They threaten to leak similar files every week.

The hackers are doing this in support of their claim to have breached BCR in the past and the bank’s denial of these intrusions.

Valid numbers inside

In a post on their “leak” site this week, Maze operators shared a 2GB spreadsheet with payment card numbers from customers of Banco de Costa Rica.

The attackers say that they released the data because they are not looking to make any profit off it. Instead, they want to draw attention to the bank’s security lapses when it comes to protecting sensitive information.

Several screenshots from the database accompany the announcement, showing unencrypted credit card numbers. Together, the images contain data for at least 50 cards (some are listed multiple times). Previously, they published over 100 partial numbers (last four digits removed) with expiration date and verification codes.

Bank identification number (BIN) details showed that they were Visa or MasterCard debit cards issued by BCR.

It should be noted that one of the card validation sites states that the validity of a number does not guarantee that it is also in use. However, the details were confirmed when verified on a second online checker.

On April 30, Maze ransomware operators claimed to have more than 11 million cards from BCR, with 4 million being unique and 140,000 belonging to “US citizens.”

Maze said that they first gained access to the bank’s network in August 2019 and again in February 2020, to check if security had improved.

They chose to exit without encrypting the systems the second time because it “was at least incorrect during the world pandemic” and “the possible damage was too high.” But they did not leave empty-handed.

Battle of statements

The bank issued a public statement that day saying that following an “exhaustive verification” they can “firmly confirm that the institution’s systems have not been violated.”

In response, Maze released four days later a spreadsheet with details about systems they claim to be from BCR’s network. On May 21 they dumped the payment card data.

The bank issued another statement on May 22 reiterating that multiple analyses from internal and external specialists confirmed that the systems were not accessed without authorization and that clients’ transactions were not impacted.

At the beginning of the month, Maze announced that they reached out to the bank multiple times with a ransom demand and that they may sell the card data on the dark web.

Even if they spared BCR’s systems from encryption, the ransom was for showing the institution the vulnerable spots on its network.

The information contained in this website is for general information purposes only. The information is gathered from Bleeping Computer, while we endeavour to keep the information up to date and correct, we make no representations or warranties of any kind, express or implied, about the completeness, accuracy, reliability, suitability or availability with respect to the website or the information, products, services, or related graphics contained on the website for any purpose. Any reliance you place on such information is therefore strictly at your own risk.  Through this website, you are able to link to other websites which are not under the control of CSIRT-CY. We have no control over the nature, content and availability of those sites. The inclusion of any links does not necessarily imply a recommendation or endorse the views expressed within them. Every effort is made to keep the website up and running smoothly. However, CSIRT-CY takes no responsibility for, and will not be liable for, the website being temporarily unavailable due to technical issues beyond our control.