Skip to main content

In this Sunday, July 7, 2019, photo, Iran's telecommunications Minister Mohammad Javad Azari Jahromi is interviewed by The Associated Press at his office in Tehran, Iran. Jahromi acknowledged a cyberattack on his country, claiming it was state-sponsored but offering no evidence.

Vahid Salemi/The Associated Press

Iran’s government has acknowledged that it faced a “very big” cyberattack, following a report in The New York Times this week that information from 15 million Iranian bank accounts was stolen and published online after widespread street protests were crushed in November.

Iran’s telecommunication minister, Mohammad Javad Azari Jahromi — who had previously dismissed the bank-account theft as an insider extortion plot — said the attack had been state sponsored, but he offered no evidence to back up the claim. He said details and the country deemed responsible would be revealed after investigations had been completed.

Azari Jahromi said Iran’s cybersecurity unit had thwarted the attack, making no direct mention of the compromised bank accounts.

Story continues below advertisement

“We faced a very well-coordinated state-sponsored cyberattack on the government’s digital infrastructure,” Azari Jahromi told reporters in Tehran on Wednesday. “It was a very big attack.”

He made the announcement the same day that Telegram, the popular phone app widely used in Iran, shut down the channel where the bank account details had been revealed for all to see.

The Telegram channel was created on Nov. 27 and until Dec. 5 had been home to the uploaded names and details for debit cards tied to the accounts of millions of Iranians who are clients of three banks — Mellat, Tejarat and Sarmayeh.

All three were the target of U.S. sanctions a year earlier over what American officials described as prohibited financial transfers done on behalf of Iran’s Revolutionary Guard.

“We routinely close down channels which publish personal data like passport scans or credit card numbers,” said Markus Ra, spokesman for Telegram. This channel was closed, he said, when a user reported it to the company after the publication of The Times article.

A week earlier, Azari Jahromi had characterized the breaching of the bank accounts as the act of a disgruntled former contractor he said had obtained access to the information and was using it for extortion. As of Thursday, the banks had not issued a public statement about the breached accounts.

But it appeared the problem continued even after the channel was erased from Telegram.

Story continues below advertisement

Some Iranians posted screenshots of emails they had received from accounts with addresses identical to the customer service departments at two of the banks. The emails showed the account holders’ personal identification details and warned them: “We are in control of your bank information and your bank is lying to you.”

The emails advised these customers to take immediate action but did not specify what it should be. One Iranian said on Twitter that some of these emails contained an attachment file with the numbers of millions of leaked accounts.

An Iranian cybersecurity expert based in New York, Amir Rashidi, said he had traced the emails to a server in Germany.

Cybersecurity experts said that a breach of this magnitude could have been the work of a state actor, although there have been sophisticated attacks on Western banking systems that turned out to be organized by criminal groups.

They also said there was always the possibility that the attack had been the work of an insider.

Iranian media said the attack was the largest banking security breach in Iran’s history.

Story continues below advertisement

While there is constant cyberconflict between the United States and Iran, American financial institutions and the Federal Reserve have long been leery of offensive actions by the U.S. government against other country’s financial systems. They fear that might legitimize reprisals against American accounts.

For Iran, the breach is the latest in a wave of challenges.

In the past month, Iran announced it was facing a significant budget deficit because of U.S. economic sanctions, it crushed nationwide demonstrations with a deadly response that has been widely criticized, and it contended with growing regional resentment. That is especially the case in Iraq, where Iran has exerted significant influence.

Experts said that the bank breach, at the very least, could create a crisis of public trust with the country’s financial institutions.

Boaz Dolev, chief executive of ClearSky, a cybersecurity company that was among the first outside Iran to spot the banking breach, said he believed the affected banks had deliberately kept quiet. Dolev speculated that the banks did not cancel the accounts “because they do not want to panic the public or they will find it very difficult to issue new cards.”

In Israel, which like the United States has engaged in cyberconflict with Iran, news about the Iranian banking breach raised suspicions that Iran might blame Israel and take revenge. An Israeli banking official said two of the country’s biggest banks on Wednesday raised their cyberattack warnings to “top alert.”

Story continues below advertisement

A Middle Eastern intelligence official who tracks Iran and opposes its foreign policy said that over the past week, top Iranian intelligence agencies, including the large cyberunit inside Iran’s Ministry of Intelligence, had been trying to track down the source of the banking breach and those behind the creation of the now-erased Telegram channel.

The official, who spoke on the condition of anonymity to discuss intelligence matters, said the security authorities in Iran were taking a serious stance on the breach and believe it had increased the potential for a renewed flare-up of anti-government demonstrations, given the “damage to many citizens and the regime’s failure to prevent such information leaks.”

Related topics

Report an error
Due to technical reasons, we have temporarily removed commenting from our articles. We hope to have this fixed soon. Thank you for your patience. If you are looking to give feedback on our new site, please send it along to feedback@globeandmail.com. If you want to write a letter to the editor, please forward to letters@globeandmail.com.

Welcome to The Globe and Mail’s comment community. This is a space where subscribers can engage with each other and Globe staff. Non-subscribers can read and sort comments but will not be able to engage with them in any way. Click here to subscribe.

If you would like to write a letter to the editor, please forward it to letters@globeandmail.com. Readers can also interact with The Globe on Facebook and Twitter .

Welcome to The Globe and Mail’s comment community. This is a space where subscribers can engage with each other and Globe staff. Non-subscribers can read and sort comments but will not be able to engage with them in any way. Click here to subscribe.

If you would like to write a letter to the editor, please forward it to letters@globeandmail.com. Readers can also interact with The Globe on Facebook and Twitter .

Welcome to The Globe and Mail’s comment community. This is a space where subscribers can engage with each other and Globe staff.

We aim to create a safe and valuable space for discussion and debate. That means:

  • Treat others as you wish to be treated
  • Criticize ideas, not people
  • Stay on topic
  • Avoid the use of toxic and offensive language
  • Flag bad behaviour

Comments that violate our community guidelines will be removed.

Read our community guidelines here

Discussion loading ...

Cannabis pro newsletter
To view this site properly, enable cookies in your browser. Read our privacy policy to learn more.
How to enable cookies