Information security challenges in the bank system and risk management. Timeline of data breaches on Kaspi platform

Implementation of different services by Kaspi bank

2012

  • Bill Payments
  • e-Wallet

2013

  • Active expansion of the terminal network
    enabling customers to top up their
    e-Wallets for Bill Payments

2014

  • Marketplace Platform
  • Kaspi Bonus

2015

  • Kaspi Gold debit card
  • Online Car Finance in partnership with Kolesa.Kz
  • Delivery service at Marketplace

2016

  • Kaspi Red Shopping Club
  • Kaspi Guide

2017

  • Kaspi Mobile App
  • P2P transfers by card
  • P2P transfers by phone number
  • Kaspi Juma
  • Kaspi Maps

2018

  • Kaspi QR
  • ATMs with face recognition and
    Kaspi QR technology
  • Kaspi Business Mobile App
    P2P Global Transfers to any card
  • P2P Transfers by Kaspi QR code
  • Kaspi Message

2019

  • Mobile Commerce (Kaspi QR)
  • Kaspi Face ID
  • Kaspi e-Sign
  • Consumer finance and Kaspi Red with Kaspi e-Sign, Kaspi Face ID and Kaspi QR in Kaspi Mobile App
  • PoS solutions with Kaspi QR technology

Kaspi’s business is subject to cyberattacks and breaches of security

Key problems of Kazakhstan in cybersecurity derive from an exponential increase in the number of Internet and mobile users, insufficient awareness in methods of information security and low supply in information security systems of the enterprises, the low-quality services and applications provided to citizens and the private organizations within “the electronic government”, and violation of the rights and legitimate interests of citizens.

An increasing number of organizations, including large merchants and businesses, technology companies and financial institutions, such as Kaspi, are subject to attacks on their information security systems, some of which involve sophisticated and highly targeted attacks on their websites and infrastructure. The methods used to obtain unauthorized, improper or illegal access to information security systems are constantly evolving. Targeted attacks may also be difficult to detect quickly and are often not recognized until they are launched against a target. Unauthorized parties may attempt to gain access to Kaspi’s Ecosystem through various means including hacking into platforms, or attempting to fraudulently induce (often through spear phishing attacks) employees, customers, partners, vendors or other users of the Kaspi’s systems into disclosing user names, passwords, payment card information, or other sensitive information, which may in turn be used to access Kaspi’s systems. Kaspi has experienced in the past and may experience in the future cyberattacks and other security breaches (due, among other factors, to human error, malfeasance, system errors or vulnerabilities, or other irregularities) affecting the functionality of its platforms. While Kaspi has systems and processes designed to prevent cyberattacks and security breaches, which systems and processes have been 14 effective in preventing the Kaspi from incurring material financial losses in the past, and whilst the Kaspi expects to continue to expend significant resources to bolster these protections, such measures cannot provide absolute security, and any security breach could adversely affect the Kaspi’s business, financial condition, results of operations or prospects. Actual or perceived breaches of the Kaspi’s security could interrupt its operations, resulting in, amongst other things, its systems or services being unavailable, improper disclosure of data, material damage to the Kaspi’s reputation and brand, increased regulatory scrutiny or fines, as well as legal and/or financial exposure. In addition, such events could cause the Kaspi to incur significant remediation costs, leading to loss of customer confidence in, or decreased use of, Kaspi’s products and services and the diversion of management’s attention from the operation of the Kaspi’s business. This could result in significant compensation or contractual penalties payable to consumers or merchants as a result of their claims, and could adversely affect the Kaspi’s business, financial condition, results of operations or prospects. The performance, reliability and security of the telecommunications and internet infrastructure in Kazakhstan Kaspi’s business depends on the performance, reliability and security of the telecommunications and internet infrastructure in Kazakhstan, where all of the Kaspi’s computer hardware is currently located. Any disruptions in, or failures of, the telecommunications and internet infrastructure in Kazakhstan may adversely affect the quality or availability of Kaspi’s Ecosystem. The failure of telecommunications network operators to provide Kaspi with the requisite bandwidth could affect the speed and availability of the Company’s Platforms and mobile applications. Moreover, if the Kaspi’s security of domain names is compromised for any reason, Kaspi will be unable to use such domain names in business operations, which in turn could adversely affect the Kaspi’s business and brand image. The Company may fail to implement adequate measures of encryption of data transmitted through the networks of the telecommunications and internet operators and such operators, or their business partners may misappropriate Kaspi’s data, which could adversely affect the Kaspi’s business.

Personal Data Protection

The Personal Data Law applies to the Kaspi. Among other things, the Personal Data Law requires that an individual must consent to the processing (i.e. any action on the accumulation, storage, modification, addition, use, distribution, depersonalization, blocking and destruction) of their personal data and must 201 provide such consent prior to the personal data being processed. The consent shall be provided in writing or in the form of an electronic document or in any other way with the use of elements of protective actions that do not contradict the legislation of the Republic of Kazakhstan. Under the Personal Data Law, the storage of personal data shall be carried out by the owners and (or) operators of personal databases, as well as by any third party which has contractual relationships with such owners and (or) operators, in the database which is physically located and stored within the territory of the Republic of Kazakhstan. Under the Personal Data Law, owners and operators of personal data databases shall ensure the security of personal data through legal, technical and organizational measures and in accordance with requirements set forth by the Law of the Republic of Kazakhstan No. 418-V ZRK “On Informatization”, dated 24 November 2015 (as amended).

Failure to maintain and protect customer and employee information

Kaspi collects and processes personal data (including names, addresses, ages, bank details and other personal data) from its customers, business contacts and employees as part of the operation of its business and it must comply with data protection and privacy laws and industry standards in Kazakhstan. Those laws and standards impose certain requirements on Kaspi in respect of the collection, use, processing (including accumulation, modification, distribution, depersonalization, blocking and destruction of personal data) and storage of such personal data. Failure to operate effective data controls in respect of the collection, use, processing and storage of such personal data, as prescribed 23 by applicable law, could potentially lead to administrative fines, financial costs, reputational damage and undermine trust in Kaspi’s Ecosystem and brand (see “—Maintaining the trusted status of Kaspi’s Ecosystem and a strong brand is critical to future growth”), any of which could adversely affect the Kaspi’s business, financial condition, results of operations or prospects. The Law of the Republic of Kazakhstan “On Personal Data and the Protection Thereof” No. 94-V ZRK, dated 21 May 2013 (as amended) (the “Personal Data Law”) is a special legislative act that established a framework for the protection of personal data. Prior to the adoption of this law, Kazakhstan did not have any specific laws regulating the protection of personal data. Therefore, there is currently no widely established or consistent judicial practice in respect of personal data protection matters. Existing laws and regulations on personal data protection may be amended, the manner in which such laws and regulations are enforced or interpreted may change and new laws or regulations on personal data protection may be adopted, including in order to further regulate or restrict the use of personal data. If the existing interpretation of the laws and regulations were to change or future regulations were imposed, it could have an adverse effect on the Kaspi’s business.

Kazakhstan’s legislative and regulatory framework is evolving

Kazakhstan citizens have made already more than 33 million payments without the commissions on the website “Kaspi” and have saved more than 3 billion tenges of national currency. The unprecedented growth of online payment in Kazakhstan increases the risks associated with new technologies. Among them technical failures in the software, fake mailing, fake accounts, and fraud.

Whilst a large volume of legislation was enacted several decades ago, the legal framework in Kazakhstan is still evolving in comparison to countries with more established market economies.

There are no known guidelines for reporting potential security vulnerabilities on the website of Kaspi and there is no existing legislative regulation

Information security and risk management governance

Administrative, physical, technical protections

  • Company Responsibilities
  • Employee accountability
  • Risk assessment
  • Monitoring
  • Enforcement

Assessment of cyber risk occurs for three steps.

1

Step

Formation of the system risk factors. The experts define a list of relevant threats, vulnerabilities and measures of protection for each type of cyber risk

2

Step

Assessment of risk factors by experts. Independently of each other experts estimate each risk factor as a four-level scale (fig. 2 and 3). Criteria of criticality are developed taking into account of business scales of “Kaspi Bank”.

At the same stage the weight of every risk factor is defined to reduce influence on total risk factors, noncritical for it. For example, for risk of information leakage damage, assessment from violation of processes can be not considered. The “category of information” parameter acts as decisive, and his weight has to be increased. The weight of factors is estimated on a scale from one to nine.

3

Step

Calculation of cyber risk rating. The key difference of the model from existing qualitative methods is in opportunity to unite a large amount of received opinions and scales in one value of risk rating. Whereas the classical tabular method doesn’t allow to operate with a such amount of experts opinions. For calculation of total risk rating it is recommended to use the matrix method of calculations which aggregate all qualitatively estimated factors in one quantitative value for “Kaspi Bank”. It allows considering the experts participating and dispersion of their opinions as well as differencing in scales that increases assessment objectivity.

Within the Kaspi the internal audit service is responsible for the oversight of the business operations of the Company in relation to the internal control and risk management. The internal audit service carries out auditing assignments in accordance with the plan established by the Board of Directors, and reports on the Company’s compliance with the plan’s recommendations. The internal audit service reports to the Board of Directors. The members of the internal audit service must be available for any meetings of the Board of Directors.

 

Timeline of officially asserted data breaches:

March 2017

“Over the past few weeks, international cyber scammers have made a number of attempts to steal money from the bank accounts of Kazakhstanis. However, online banking services are reliably protected from hacking.”

July 2019

Phishing sites imitating the Kaspi resource have been identified in Kaznet.

On July 29, the KZ-CERT Computer Incident Response Service received a message about a suspicious Internet resource that duplicates the official Kaspi Internet resource, masquerading as the domain name kaspi-bannk.com. Experts conducted a detailed analysis of the resource, the results of which recorded the presence of phishing forms. It is noted that the domain name kaspi-bannk.com was registered on July 29 this year.

“A distinctive feature of this phishing link was that when you go to the page, the first pop-up window was registration / authorization. I would like to note that when switching to the official Kaspi resource, the main page opens with the first pop-up window, where the online store is displayed,” KZ-CERT noted.

As planned by the scammers, cardholders had to enter a trusted phone number and password, after which the user, without noticing it, was directed to the loading.php page and, upon receiving an SMS code, had to enter it, thus providing access to their accounts.

The Internet resource has been classified by the KZ-CERT Service as a "fraudulent Internet resource/Phishing on the Internet".

2019

"In 2019, there were no cases of fraud related to the installation of programs for remote access to customer accounts. The bank reliably protects accounts. Fraudsters cannot access customer assistance money. No need to download unknown applications. You cannot enter your personal data on unknown sites," - the Kaspi bank said officially.

2021

Fake Telegram bots

One of the latest examples of online scamming is fake telegram bots which are used by scammers to retrieve counterfeit confirmation about money transfer to the recipient. These bots act under Kaspi name, only thing you need to enter to receive the counterfeit confirmation is the name of the recipient and the amount you are transferring to the recipient’s bank account.

"We have the only official Kaspi channel in Telegram: https://t.me/kaspikz. All other channels are fake. Please use information only from our official channels," the official message from the Bank says.

2016

  • Kaspi Red Shopping Club
  • Kaspi Guide

2017

  • Kaspi Mobile App
  • P2P transfers by card
  • P2P transfers by phone number
  • Kaspi Juma
  • Kaspi Maps

2018

  • Kaspi QR
  • ATMs with face recognition and
    Kaspi QR technology
  • Kaspi Business Mobile App
    P2P Global Transfers to any card
  • P2P Transfers by Kaspi QR code
  • Kaspi Message

2019

  • Mobile Commerce (Kaspi QR)
  • Kaspi Face ID
  • Kaspi e-Sign
  • Consumer finance and Kaspi Red with Kaspi e-Sign, Kaspi Face ID and Kaspi QR in Kaspi Mobile App
  • PoS solutions with Kaspi QR technology