In early 2025, the Bangladesh Cyber Security Intelligence (BCSI) discovered a serious issue: a threat actor was selling City Bank’s financial statements on underground hacking forums. This breach exposed sensitive client data and raised concerns about the cybersecurity practices of financial institutions in Bangladesh.
Initial Warning to City Bank
In mid-2024, BCSI warned City Bank about significant vulnerabilities in their system. Our researchers demonstrated how attackers could exploit these weaknesses to withdraw client balances and access sensitive information. City Bank quickly fixed the immediate issues to secure their systems or so it seemed.
Discovery of the Breach
At the end of December 2024, a CS-CERT contributor alerted BCSI to a troubling incident: a threat actor was selling City Bank’s client statements on underground hacking forums for money. Taking this matter seriously, we began an investigation immediately.
 |  |
 |  |
We confirmed the threat actor’s claims were legitimate. Our NDVP (National Vulnerability Disclosure Program) researchers identified the vulnerability that the threat actor exploited. This oversight in City Bank’s cybersecurity posture allowed unauthorized access to client statements.
Technical Details of the Exploit
The breach involved a vulnerability in the system that could be exploited as follows:
Exploitation Overview:
- The attacker bypassed the multi-factor authentication process due to weak session management.
- Once logged in, previously authenticated sessions could be reused to access other accounts.
Session Issues:
- Session tokens were not properly invalidated, allowing attackers to reuse them and gain unauthorized access.
With this vulnerability, the threat actor could retrieve City Bank customers’ statements without needing further authentication.
Traditional Pentesting
Our previous report “Financial Threat Assessment 2024: National Security is at Risk” detailed why these serious vulnerabilities are happening. Banks are still applying traditional pentesting which often miss critical security flaws.
The report highlighted that most banks face HIGH risks because their security measures are not up to the mark. BCSI encouraged skilled professionals to secure the country’s financial systems.
BCSI noticed that some companies try to take advantage when security warnings are issued. We also monitor such activities closely. Any actions taken to improve security posture organizations can collaborate with us through [email protected]
Issue Fixed
In 2025, after the NDVP researcher discovered the issue, BCSI immediately informed City Bank. They acted quickly and fixed the vulnerability on Friday, January 3, 2025.
The exposure of City Bank’s client statements shows a critical gap in cybersecurity practices. BCSI urges the organizations to protect sensitive data and prevent financial losses. Key measures include strong access controls, network security, data protection, employee training, third-party risk management, compliance with regulations, and continuous monitoring. These practices help reduce the risk of cyberattacks and safeguard valuable assets.
