Azerbaijan: $3.5 million stolen from bank cards, expert calls for reforms

JAMnews

Baku

Bank thefts in Azerbaijan

At a panel discussion on cyber sovereignty, Hikmat Mammadov, head of the information and cybersecurity department at Azerbaijan’s Ministry of Internal Affairs, stated that in 2024, 22 million manats (approximately $13 million) were stolen from Azerbaijani citizens’ bank cards, including 6 million manats (about $3.5 million) in just the past four months.

Information and communication security expert Osman Gunduz said that the public disclosure of such data at the official level is a positive step.

However, he criticized the Central Bank and other state agencies for failing to respond so far, despite the fact that they should have acted immediately.

“Mass theft has become routine. Now we wake up every day wondering how much money, according to the interior ministry, was stolen from cards. When will the government take effective action against this threat?” Osman Gunduz asked.

Elshad Hajiyev, head of the press service of the Ministry of Internal Affairs, speaking at a media forum held in Baku, stated that the main cause of bank card fraud is the sharing of personal information with others.

“You should never share your bank card details in response to calls from abroad or by posting them on online platforms. This creates opportunities for theft. Preventing bank card fraud primarily depends on people’s own vigilance,” he said.

According to Hajiyev, public awareness campaigns in this area have led to a significant decrease in fraud cases. While around 50 such cases were previously reported each day, the current figure has dropped to between 10 and 20.

Statistics are classified

In Azerbaijan, there is no publicly available statistical data on thefts involving digital payment systems. While the Ministry of Internal Affairs, the Central Bank, and the State Service for Special Communications and Information Security share general figures on cybercrime, there is no information about which specific banks or mobile applications are most frequently targeted.

As of the end of 2023, Azerbaijan ranked 52nd in the National Cybersecurity Index. This ranking reflects the country’s technical development level, but the scale of digital thefts and the risks associated with specific banks remain unclear.

What are the banks saying?

Some banks, such as PAŞA Bank, claim they are taking cybersecurity measures and have obtained certification in compliance with international standards (PCI DSS). Banks like Kapital Bank and ABB also report using two-factor authentication to ensure security.

However, statistics on actual theft cases are not published.

Osman Gunduz points out that the names of the banks with the highest number of theft incidents are known to the Central Bank and the Ministry of Internal Affairs, but are not disclosed to the public:

“Publishing this data could spark a strong public reaction. But apparently, it’s being withheld due to concerns over reputational damage to the banks.”

“The Central Bank must revise its regulations, tighten identification requirements, and banks must be held accountable for stolen funds. It’s unacceptable to avoid responsibility under the excuse of ‘you confirmed the transaction yourself.’”

How adequate are the laws regulating this area?

In Azerbaijan, the main legal framework in this area is the Law on Personal Data, adopted in 2010. However, experts believe this law does not address modern digital risks and significantly lags behind international standards, such as the European Union’s General Data Protection Regulation (GDPR).

The GDPR is a law that governs the collection, processing, and storage of personal data. It came into effect on May 25, 2018, and is designed to protect the data of EU citizens, placing strict obligations on companies.

“Control and internal audit systems for individuals who have access to customer data in banks are weak. There is also no ban on the employment of foreign nationals in the banking system, which poses a potential threat,” says Osman Gunduz.

What does international practice say?

Elshad Hajiyev also stated that “in Europe, victims of cyber fraud never get their money back.”

However, in Turkey and European Union countries, banks typically reimburse the majority of losses resulting from theft in digital payment systems. According to the PSD2 directive, European banks are required to reimburse unauthorized transactions within 24 hours — unless the customer was negligent.

The Payment Services Directive 2 (PSD2) is a regulation that oversees payment services and providers within the European Economic Area (EEA). Its goal is to increase competition, innovation, and security in the payments industry.

In Georgia, banks are required to conduct annual cybersecurity audits and publish public reports on data breaches. In Azerbaijan, no such reporting mechanisms exist.

How to address the problem of cyber theft?

Osman Gunduz says that while awareness campaigns and digital literacy are important and beneficial, relying solely on them will not solve the problem in the short term.

He proposes the following steps to tackle the issue:

Publish information about the banks where thefts most frequently occur
Tighten identification rules enforced by the Central Bank
Audit the code of mobile applications and introduce an emergency “SOS” button
Strengthen internal controls within banks and mobile operators
Increase legal accountability for cyber theft

As digital payments continue to grow, the rising number of thefts raises serious concerns about the silence of the state and the banking sector. The concealment of statistics, lack of transparency, and weak public awareness only worsen the problem.

International experience shows that transparency and accountability are the foundations of cybersecurity. So far, however, Azerbaijan remains far from adopting such an approach.

News in Azerbaijan