On September 10, 2025, Vietnam’s National Credit Information Center (CIC) reported to the Vietnam Cybersecurity Emergency Response Team (VNCERT) a suspected significant cybersecurity incident involving unauthorized access to the CIC’s credit information database. A hacker group has claimed responsibility and allegedly posted over 160 million records for sale, including sensitive personal and financial data.

Implications for Banks and Financial Institutions

Companies that share customers’ or potential customers’ personal data with the CIC for credit scoring or other purposes—and continue to act as a data controller for such data—may be obligated under Vietnam’s Personal Data Protection Decree (PDPD) and related regulations to:

• Notify A05 (Department of Cybersecurity and High-Tech Crime Prevention) and the State Bank of Vietnam without delay.
• Inform affected individuals if their personal data is at risk.

Recommended Actions

Companies that could be impacted by this data breach should take the following actions:

• Conduct an internal review of CIC-related data in their systems, and identify whether and how the systems have been affected by this incident.
• Assess whether to notify regulators and customers/potential customers.
• Enhance cybersecurity controls, monitor for suspicious activity, and implement additional safeguards to prevent secondary breaches.