Attack on the NBU online store: personal data at risk, payment details secure
The National Bank’s online store for numismatic products has temporarily suspended operations due to a cyberattack on a contractor. We explain what data may have been leaked, why finances were not affected, and what ordinary users should do.
By Tetiana Suchkova-Ladik
February 19, 2026 · 2 min read
Briefly: why this matters
A potential leak of contact information of buyers from the National Bank of Ukraine’s online store complicates life for millions of Ukrainians who are used to ordering online. Financial details, according to the NBU, were not compromised, but this does not remove the risk of phishing and social engineering.
What happened
The online store selling the National Bank’s numismatic products temporarily suspended operations due to a cyberattack on a contractor company. According to official information, the attackers may have gained access to users’ personal data — names, phone numbers, e‑mails and delivery addresses. The NBU emphasizes that the system architecture was designed to isolate contractors from critical banking systems, and this prevented intrusion into the regulator’s services.
“Potentially, the attackers could have accessed personal information of the online store’s users, namely: first/last name, phone number, e‑mail, delivery address for numismatic products. Financial data — payment card details and other confidential information related to banking operations — were not compromised.”
— Press Service of the National Bank of Ukraine
Consequences: what is real and what is potential
Real: contact details may end up in the hands of fraudsters and become the basis for targeted phishing — emails, SMS or calls impersonating delivery services or the bank. Potential: direct access to clients’ funds, based on current information, is ruled out.
The NBU has already warned clients that its employees do not send messages asking to confirm payment details, do not call requesting card details, and do not ask to pay for orders by alternative methods. Trend analysis in the sector confirms: after incidents at the contractor level the number of fake mailings that impersonate legitimate services increases.
What users should do right now
Step-by-step security: check card statements; do not follow suspicious links; do not give information over the phone; change passwords in personal accounts if necessary; enable SMS/Push notifications for transactions. If you receive a suspicious message — verify the information through the official channels of the NBU or your bank.
Context and conclusion
The incident coincides with other cyberattacks in the financial sector: on February 18 A‑Bank reported an attack that affected some customer accounts. Cybersecurity experts point out that attacks on contractors are one of the most common routes for breaches. This underscores that the security of state services depends not only on internal policies, but also on partners’ standards.
The NBU example shows two important conclusions: a system architecture with isolation works, but preventing phishing is everyone’s responsibility. Now the question for the market and the regulator is: will this incident be enough to standardize requirements for contractors and reduce the risk of recurrence?
