Vietnam central bank on credit data breach: CIC does not collect deposit or payment account data

CIC, which is managed by SBV, is one of four licensed credit information service providers in Vietnam.

The center gathers credit data in accordance with the law, but such data does not include details of deposit accounts, payment accounts, balances, card numbers, security codes, or customers' payment transaction histories.

SBV said it had promptly instructed CIC to report on the incident and coordinate with competent authorities to investigate and address the matter, while ensuring the continuity of CIC's operations.

It also underlined that the information technology systems of credit institutions operate independently and remain stable and secure.

The central bank emphasized that it regularly requires credit institutions to review and strictly comply with legal provisions on cybersecurity, confidentiality, and IT system safety to protect customers' rights and interests.

Any unauthorized collection, processing, exchange, or use of credit information will be handled in accordance with the law, it added.

The statement came after a report by the Vietnam Cybersecurity Emergency Response Center (VNCERT) on Thursday confirmed a personal data breach at CIC.

Initial findings indicated that cybercriminals had launched attacks to steal the personal data, with the scale of compromised information still under review.

VNCERT warned organizations and individuals not to download, share, or exploit the leaked data, stressing that violators will face legal consequences.

The agency also urged financial institutions to strengthen compliance with the national cybersecurity standard TCVN 14423:2025.

It further recommended that the public remain vigilant against cybercrime, including phishing, malware, and financial scams that could exploit the leaked data.