On September 12, 2025, Vietnamese banking customers woke to news of a cybersecurity incident at the National Credit Information Center (CIC), sparking widespread concern about the safety of their personal and financial data. The incident, first announced by the Vietnam National Cyber Emergency Response Center (VNCERT), revealed initial signs of personal data violations within the CIC’s systems. As news spread, VPBank—a major Vietnamese bank—moved quickly to reassure customers, clarify the scope of the breach, and outline the robust security measures in place to protect client assets and sensitive information.
According to both VietQ.vn and official VPBank statements, the bank emphasized that all data reported to CIC strictly complies with the regulatory framework set out in Circular No. 15/2023/TT-NHNN, issued December 5, 2023, and Decision No. 573/QĐ-NHNN, dated March 29, 2024. These regulations, enacted by the State Bank of Vietnam, govern the operations of credit information and the reporting protocols for all Vietnamese banks. The aim is to ensure that only specific, non-sensitive credit data is transmitted to CIC, while critical personal identifiers remain securely within each bank’s own system.
“Sensitive information such as electronic banking login data (username, password), biometric data, and debit/credit card details (16-digit card numbers, CVV/CVC codes) are fully secured within VPBank’s data system and are not included in CIC’s reporting data,” VPBank stated in its official notice. This assurance was echoed by VietQ.vn, which highlighted that VPBank’s electronic banking system adheres to the highest international security standards, including ISO 27001 and PCI DSS certifications. These standards are globally recognized benchmarks for information security management and payment card data protection, respectively.
The bank further detailed its multi-layered approach to security. Customer assets and transactions are protected through a combination of biometric authentication and one-time password (OTP) or SmartOTP codes. These codes are generated in real-time during the authentication process and, crucially, are not stored anywhere within the system. “They are not leakable unless the user directly provides them to others,” VPBank explained, underscoring the importance of customer vigilance.
Despite the technical robustness of these security layers, VPBank warned that the sophistication of cybercriminals continues to evolve. While the perpetrators behind the CIC incident could not directly seize customer assets, they might exploit leaked information to spread malware, craft convincing phishing campaigns, or develop other fraudulent schemes aimed at tricking users out of their credentials. The bank cautioned customers to stay alert, avoid installing applications from unofficial sources, and never share OTP or SmartOTP codes with anyone—even those claiming to be bank employees.
“Customers should refer to official information sources, avoid panic, and be cautious of fraudulent schemes exploiting leaked information to spread malware or conduct scams,” the bank advised. This measured guidance was reinforced by the State Bank of Vietnam, which, in the wake of the incident, received a report from CIC and promptly directed the center to coordinate with competent authorities for verification and handling. The State Bank also emphasized the need for continuous and transparent CIC operations, ensuring that credit services remained uninterrupted for Vietnamese consumers and businesses alike.
Authorities were not slow to act. The Cybersecurity and High-Tech Crime Prevention Department (A05), a specialized branch of Vietnamese law enforcement, began working urgently alongside IT security providers and State Bank units. Their joint mission: to deploy technical and operational measures that would contain the breach, verify its scope, and reinforce the digital defenses of the national credit infrastructure. According to VietQ.vn, these efforts were designed to maintain public trust and prevent further exploitation of any compromised information.
In a country where digital banking adoption has surged in recent years, the stakes could hardly be higher. The National Cybersecurity Association (NCA) stepped in to provide additional reassurance. "Through preliminary assessment, Vietnam’s banking and credit systems remain safe, are tightly protected, and continue to operate stably," said Vũ Ngọc Sơn, a representative of the NCA. He added that “there is no need for people to take drastic measures such as locking their cards, changing CVC/CVV codes, or altering their passwords.” In his view, such actions would not enhance security and, in fact, could disrupt daily life and business transactions.
The State Bank of Vietnam, for its part, has long maintained strict oversight of the nation’s credit institutions. It regularly directs banks to review and strengthen their compliance with legal regulations on information security, technology management, and the protection of customer rights. Any unauthorized collection, processing, or dissemination of credit information is subject to legal penalties, the central bank reminded the public. This regulatory vigilance, combined with the technical safeguards already in place at banks like VPBank, forms a critical bulwark against the rising tide of cyber threats.
For customers seeking further guidance or reassurance, VPBank encouraged them to contact their nearest branch or use the official customer service portal at https://cskh.vpbank.com.vn. The bank’s message was clear: stay informed, remain cautious, and rely on official channels for updates. “For further consultation, customers can contact the nearest VPBank branches or use the VPBank customer service portal,” the bank reiterated, pointing to its commitment to transparency and support during uncertain times.
Meanwhile, the incident has prompted renewed attention to the role and responsibilities of the CIC itself. As one of only four organizations authorized to provide credit information services in Vietnam, the CIC collects data according to strict legal mandates. Notably, it does not receive or process information such as deposit account numbers, balances, savings books, payment account numbers, debit or credit card numbers, security codes (CVV/CVC), or detailed transaction histories. This separation of data, mandated by law, is designed to minimize the fallout from any single breach and to ensure that the most sensitive personal details remain beyond the reach of unauthorized actors.
Looking ahead, both regulators and industry leaders agree on the need for ongoing vigilance. The State Bank has pledged to continue its oversight, urging all credit institutions to “enhance compliance with legal regulations on security, information technology, and customer rights protection.” Customers, too, have a role to play by following best practices, heeding official advice, and staying alert to the ever-changing tactics of cybercriminals.
As Vietnam’s financial sector continues its rapid digital transformation, the lessons of the CIC incident are likely to resonate for months to come. The episode stands as a stark reminder that even the most advanced systems are not immune to attack—but also that with the right safeguards, transparency, and cooperation between institutions and authorities, public trust can be preserved and strengthened.
