HANOI — Vietnam has become the latest country to face a sweeping data breach that could impact most of its population. Hacker group ShinyHunters claims to have exfiltrated more than 160 million records from the Credit Institute of Vietnam (CIC), the state-run agency responsible for managing national credit information.
A Breach on a National Scale
While past global breaches have made headlines for their size — from Facebook’s 2019 incident affecting 553 million users to Ecuador’s 2019 database leak that exposed nearly the entire country — Vietnam now finds itself in a similar position.
CIC, which operates under the State Bank of Vietnam, plays a critical role in collecting, storing, and analyzing credit data on both individuals and organizations. It provides credit ratings, helps mitigate financial risks, and delivers official credit information services nationwide.
ShinyHunters boasted on Telegram that Vietnam was “owned within 24 hours.” They later listed the data for sale on a dark web forum, posting samples allegedly showing sensitive personal and financial records, including:
- General personal identifiers (PII)
- Credit payment histories and risk analyses
- Encrypted credit card data (requiring decryption)
- Military and government ID numbers
- Tax IDs and income statements
- Debt obligations
The dataset, according to ShinyHunters, spans historical records as well, which could explain why the number of entries — more than 160 million — exceeds Vietnam’s current population of approximately 102 million.
How the Hack Happened
Speaking to cybersecurity monitoring site DataBreaches.net, ShinyHunters claimed they targeted CIC due to the vast scale of its database, estimated at more than 3 billion records across all tables. They said they exploited an “n-day vulnerability” in software that was already at its end of life, meaning no security patch was available.
When asked whether extortion or ransom demands were made, ShinyHunters said no attempt was pursued, as they assumed CIC would not respond. Instead, the data was put up for direct sale.
Who Is Behind It?
The breach has been attributed directly to ShinyHunters. The group clarified it was not linked to other well-known cyber collectives such as Scattered Spider or Lapsus$, despite years of speculation about overlaps.
Why This Matters
If confirmed, the CIC breach would represent one of the most severe cybersecurity incidents in Southeast Asia. By potentially exposing the financial and personal data of nearly every Vietnamese citizen, it threatens not only individual privacy but also financial stability and national security.
As the situation unfolds, regulators, banks, and individuals alike are being urged to strengthen security measures and prepare for possible misuse of leaked data.
Related
Discover more from Vietnam Insider
Subscribe to get the latest posts sent to your email.
Source: Vietnam Insider