Al Barid Bank (Morocco)

In May 2026, an unknown threat actor advertised Al Barid Bank customer data on dark web marketplaces. The dataset included two distinct components: between 37,890 and 47,720 card and customer records from the bank's main database, and over 2 million SMS transaction logs from their messaging systems. The attacker monetized the breach by offering the data for sale to other cybercriminals.

The banking database exposure contained card status information, customer contact details, account numbers, and transaction records. The SMS logs component included over 2 million transaction notification messages—the automated confirmations banks send after purchases, withdrawals, and transfers.

Transaction SMS logs are particularly valuable to attackers. They contain account numbers, transaction amounts, merchant names, timestamps, and balance information. Combined with the customer database records, this creates a complete profile of banking relationships, spending patterns, and account activity for tens of thousands of Al Barid Bank customers.

Over 47,000 Al Barid Bank customers now have their banking information circulating on criminal marketplaces. Account numbers enable account takeover attacks. Contact information combined with transaction history enables highly targeted phishing—attackers can reference specific purchases, accurate account balances, and real merchant relationships to build convincing social engineering campaigns.

For a Moroccan banking institution, the exposure extends beyond individual customers. Small businesses using Al Barid Bank for commercial accounts now have their transaction patterns exposed. Attackers can identify cash-heavy businesses, understand payment cycles, and target companies during periods of high account balances.

Al Barid Bank operates under Bank Al-Maghrib supervision and Morocco's banking regulatory framework. They implemented SMS transaction notifications as a security measure—immediate alerts when money moves help customers detect unauthorized activity. The database systems holding customer information were protected by standard banking security controls.

The SMS notification system itself represents security investment. Real-time transaction alerts reduce fraud by enabling customers to report suspicious activity immediately. But those same security notifications became the breach payload—2 million messages documenting customer financial activity now in attacker hands.

Banking institutions track customer data across multiple systems—core banking platforms, card management systems, SMS gateways, transaction processors. Al Barid Bank's breach spanned two distinct systems: the customer database and the SMS transaction log repository. This suggests separate compromises or a single attacker with access to multiple backend systems.

SMS transaction logs accumulate silently. Every withdrawal, every purchase, every transfer generates a message. Over months or years, that SMS archive becomes a comprehensive financial surveillance database. Al Barid Bank may not have fully understood that their security notification system was also creating a detailed transaction history accessible through backend SMS infrastructure.

The attacker remained anonymous, advertising the data on dark web forums where banking information commands premium prices. Al Barid Bank faces notification requirements under Moroccan data protection law and potential regulatory action from Bank Al-Maghrib. Over 47,000 customers need to be notified that their account information and transaction history is now publicly available.

For customers, the breach notification arrives after the data is already being traded. Account numbers exposed in May 2026 will be used for fraud attempts throughout 2026 and beyond. Banks can reissue cards, but they cannot recall transaction histories or erase SMS logs from criminal databases.