What information does CIC store?

CIC collects 9 categories of information from credit institutions, including customer identification, credit contracts, and credit cards, but not card numbers, security codes, or payment transaction history.

Last week, the Vietnam National Cyber Security Center (VNCERT) reported signs of an attack and intrusion by criminals attempting to steal personal data from the Credit Information Center (CIC). The State Bank of Vietnam, CIC's governing body, later confirmed receiving a report about the incident.

CIC is a public service organization under the State Bank of Vietnam, established in 1999 after separating from the Credit Department. Its purpose is to support the State Bank in its monetary management function, while also supporting business for credit institutions and customers seeking loans.

Cybersecurity expert Ngo Minh Hieu described CIC as a centralized repository of customer credit data. He believes the criminals targeted CIC due to its "massive database" and the potential profit from selling the data.

According to Circular 15 of the State Bank of Vietnam, credit institutions provide CIC with 9 categories of information: customer identification, related individuals, credit activities, credit cards, financial reports (for corporate customers), and more.

Each category is further defined by the State Bank with specific data points, as outlined in Decision 573. For example, for individual and household business customer identification, credit institutions must provide CIC with the customer's name, date of birth, address, phone number, citizen identity card number, tax code, and spouse's name. Information about the workplace, position, years of experience, and average monthly income are also mandatory.

CIC collects information about credit contracts, such as the contract number, start and end dates, credit limit, and collateral status. Banks also provide CIC with information about credit security measures, including descriptions of the collateral, the owner of the assets, the valuation date, and the collateral value.

Regarding credit card information, CIC collects 21 mandatory data fields, such as contract number, credit limit, card code, card type, issuance method, card opening date, expiry date, and statement date. Information on card balances, the amount due on the statement, overdue amounts, the number of overdue days, and self-classified debt groups are also collected.

According to the State Bank of Vietnam, the information collected by CIC does not include deposit accounts, deposit balances, savings books, payment accounts, debit card numbers, credit card numbers, security codes (CVV/CVC), or customer payment transaction history. This was reiterated by major banks like Vietcombank, Agribank, Vietinbank, and BIDV after the incident.

CIC application interface. Photo: Phuong Dong

Associate Professor Dr. Nguyen Quoc Anh, a senior lecturer at the Banking Department of the University of Economics Ho Chi Minh City, stated that detailed information about each customer's deposits is strictly confidential and known only to the bank holding the account. This information is only disclosed at the customer's request or by investigative authorities. Therefore, he emphasized that in the event of a CIC data breach, deposits would remain unaffected.

Banks have also confirmed that their IT systems and CIC operate completely independently. Therefore, card services and online banking remain unaffected by the incident. "Blocking cards, freezing accounts, or changing passwords is unnecessary," commented Associate Professor Dr. Nguyen Quoc Anh.

However, he acknowledged that the incident at CIC could negatively impact credit institutions and both corporate and individual customers. Some users, in a state of panic, may freeze accounts or reduce credit limits, directly affecting banks' transaction volumes and income. For corporate customers, leaked information stored at CIC could be used for unfair competition between businesses, such as defamation to damage reputations.

According to Associate Professor Dr. Nguyen Quoc Anh, individual customers are the most vulnerable group. In addition to reputational damage, they may be threatened by loan sharks using the leaked information or manipulated into taking out other high-interest loans.

Cybersecurity expert Ngo Minh Hieu agreed, suggesting that criminals might target older adults due to their limited exposure to technology, trusting nature, and difficulty in distinguishing fraudulent calls or messages. Minors, students, and workers are also susceptible to scams involving attractive offers and promises of part-time jobs, quick loans, debt forgiveness, and credit limit increases.

Mr. Hieu advised people not to access links in messages or emails, especially those with unfamiliar attachments. He urged users to be wary of calls and messages impersonating CIC, banks, or authorities; not to believe in advertisements like "CIC debt forgiveness" or "0% interest quick loans"; and not to provide one-time passwords (OTPs) or transfer money to unknown accounts.

On 11/9, VNCERT, under the Department of Cybersecurity and High-Tech Crime Prevention of the Ministry of Public Security, reported, "Initial verification results indicate signs of cyberattacks and intrusions aimed at stealing personal data from CIC." The amount of illegally obtained data is still being assessed.

Phuong Dong

By VnExpress: https://vnexpress.net/cic-luu-giu-nhung-thong-tin-nao-4939467.html