State Bank requires thorough correction of information system vulnerabilities

The above request was made by the State Bank on September 11 to credit institutions, payment intermediary service providers, credit information service providers, Deposit Insurance, Vietnam National Payment Joint Stock Company and the National Credit Information Center (CIC), after an incident with signs of data theft at CIC.

The State Bank said it received warnings from authorities and reports from members of the Banking Information Technology Security Incident Response Network about cybercriminals increasing targeted attacks, exploiting vulnerabilities and weaknesses in applications and information technology infrastructure.

Therefore, the Director of the Department of Information Technology (State Bank) requested units to strengthen information system safety and data security.

Leaders of these banks and businesses need to pay attention to information security in cyberspace and be responsible before the law and the Governor if there is a loss of network safety and security, data leakage, or state secrets in the units they manage.

Units need to thoroughly and promptly fix the loopholes and weaknesses that still exist in the information systems. At the same time, units need to upgrade and replace systems that still use outdated operating systems and applications that are no longer supported by the manufacturer.

The State Bank requires banks and payment intermediaries... to promptly update security patches for all devices in the system, especially servers, applications, network devices, and network security. Service ports on the server ensure that only necessary services are opened.

In addition, a series of other tasks to enhance system safety and data security were mentioned by the leader of the Information Technology Department, such as system administration access rights for officers, multi-factor authentication when accessing the administration of servers, applications and network devices, important network security, data loss prevention, encrypted storage of information and data (not public information and data)...

Units also need to assess information security with services provided by third parties, prevent and stop hackers from taking advantage of third-party security vulnerabilities to penetrate the unit's system (supply chain attacks).

In addition, units in the industry must regularly review threats on information systems, update intelligence on ongoing and upcoming threats to proactively and effectively respond to cyber attacks, as well as have plans and scenarios for response. Important data and applications must be backed up according to the regulations and instructions of the State Bank, ensuring recovery when necessary.

On the evening of September 11, the VNCERT Center under the Department of Cyber ​​Security and High-Tech Crime Prevention and Control - Ministry of Public Security said it had received a report of a "cyber security incident and signs of personal data violation" occurring at the National Credit Information Center (CIC) on September 10.

This unit has coordinated with enterprises providing network information security services and CIC, functional units of the State Bank to verify incidents, response techniques, collect data and evidence.

"Initial verification results show signs of cybercrime attacks and intrusions to steal personal data. The amount of data illegally appropriated is being continuously counted and clarified," the announcement said.

Recently, a number of organizations and businesses in Vietnam have become victims of cyber attacks. Last year, VnDirect, PVOIL, and VNPost were attacked by hackers who encrypted their data and ransomed them, affecting their operations.

The Vietnam National Credit Information Center (CIC) under the State Bank performs functions in the monetary and banking sectors and is well known for its role in supporting credit institutions in business operations and assisting borrowers in accessing credit sources.