Breaking: Initial Findings on Illicit Data Harvesting in the CIC Cyberattack

This afternoon (September 12), the Department of Cybersecurity and High-Tech Crime Prevention (A05) under the Ministry of Public Security released preliminary findings regarding the personal data breach at the National Credit Information Center (CIC).

According to the announcement, since September 10, 2025, the National Cyber Emergency Response Center (VNCERT) and the National Cybersecurity Center under the Department of Cybersecurity have collaborated with relevant agencies to investigate, verify, and collect data and evidence for legal processing.

Initial results indicate that the illegally collected data from the National Credit Information Center (CIC) does not include: deposit accounts, deposit balances, savings books, payment accounts, credit card numbers, security codes (CVV/CVC), or transaction histories of customers.

Additionally, the information technology systems of credit institutions operate independently. Therefore, their service provision remains uninterrupted, secure, and stable, ensuring customers are unaffected by this incident.

VNCERT reiterates the following recommendations:

Citizens should follow guidelines from credit and financial institutions; there is no need to close or lock credit cards or bank accounts.

Avoid believing, commenting on, or sharing misinformation, distortions, or fabrications online related to this incident. Stay updated with official information from authorized agencies.

Never disclose deposit accounts, payment accounts, savings books, debit card numbers, credit card numbers, security codes (CVV/CVC), or passwords to anyone, including those claiming to be from official agencies.

The announcement also emphasizes that any act of creating, disseminating, sharing, or commenting with false, distortive, or fabricated content that incites wrongful behavior may result in administrative fines ranging from 10,000,000 VND to 20,000,000 VND (half the amount for individuals) under Article 101 of Decree No. 15/2020/NĐ-CP dated February 3, 2020, amended by Decree No. 14/2022/NĐ-CP dated January 27, 2025.

Previously, regarding the CIC cyberattack, a representative from the National Cybersecurity Association’s Technology Board confirmed that citizens need not take measures like locking cards, accounts, or changing CVC/CVV codes based on unverified online information. Such actions do not enhance security and may disrupt transactions, impacting daily life.

Addressing public concerns, especially regarding credit card information, Mr. Ngô Minh Hiếu, Project Director of Chongluadao.vn, stated in the Lao Động newspaper that banks do not share sensitive data such as card numbers, expiration dates, CVV/CVC codes, OTPs, or passwords with CIC. Thus, customer transactions and credit card information remain secure.

The expert advises the public to remain calm, avoid rumors that could cause panic, and refrain from rushing to replace cards. He emphasizes that bank security protocols prevent the sharing of such confidential information.