In the wake of a cyberattack in which over $850 million worth of transactions were affected and which implicated the security measures of major banking institutions on several continents, banks were reminded to review and follow their security measures. While Canadian financial institutions were not directly affected, the event (and the subsequent warning) serves as a reminder of the increasing sophistication and speed of hackers. While recommended threat sharing may prove valuable to thwart such attacks, the Canadian Privacy Commissioner has signaled that it will be scrutinizing such information sharing efforts to ensure they don’t run afoul of Canada’s privacy legislation.

In a February 2016 heist, hackers stole over $100 million from the Bangladesh central bank’s account at the Federal Reserve Bank of New York. After a reconnaissance phase in which the hackers remotely monitored central bank activity, the hackers were then able to pose as Bangladeshi officials and sent messages to the Fed, which wired funds to fraudulent accounts in the Philippines and Sri Lanka.

The receiving Sri Lankan bank returned the $20 million transfer because the beneficiary’s name was misspelled. However, the $81 million sent to the Philippines remains missing. Further transactions worth $850 million were halted by the Fed.

Hackers used malware to access Bangladesh central bank SWIFT credentials

The Bangladesh bank hired FireEye Inc. and World Informatrix to investigate the theft. The cybersecurity firms released an interim investigation report stating that the cyber criminals introduced malware onto the Bangladesh central bank’s servers, which allowed the hackers to process the transactions. The attack targeted the servers running the bank’s SWIFT interface – the network used to securely authorize transactions between financial institutions through international codes. SWIFT representatives emphasized that the SWIFT network itself was not breached. They described the heist as a targeted attack on the central bank’s local operating environment.

According to the report, the hackers had been monitoring the central bank’s servers for almost two weeks before executing the transactions. The hackers used keylogger software to track keystrokes and steal the central bank’s SWIFT credentials, enabling them to create seemingly legitimate money transfer messages. The first login, on January 24, 2016, lasted less than a minute. Operator logs show multiple short logins leading up to the February 4, 2016 transfers to the Philippines.

SWIFT has issued a written warning to banks, requesting that they review internal security in light of the hack. It has also reportedly issued a summary of previously issued recommended security measures to emphasize the importance of best practices. While SWIFT can recommend internal security measures, it has not established any specific measures to be uniformly adopted by financial institutions to secure their networks.

Investigations are ongoing to determine scope of impact and recover missing money

It is unclear how the malware was installed on the servers and Bangladeshi officials said it may still be on the local central bank network. FireEye Inc. warned that dozens of computers may have been breached. The report identifies 32 “compromised assets” used to investigate the central bank’s system and gain control of the SWIFT servers. It suggests that the attack was propagated by a well-organized, financially-motivated criminal group, which may have targeted other financial institutions.

The U.S. Federal Bureau of Investigation met with Bangladeshi police in early March to assist with transborder aspects of the probe. The Bangladesh central bank has also reached out to the Fed and financial authorities in Manila for help recovering the $81 million that remains missing.

The Bangladesh central bank wants to confirm that transfer procedures were properly carried out by the Fed in light of allegations that five of the 35 payment transfer orders were executed without reconfirmation. According to the Bangladeshi Finance Minister, the government is waiting for an investigation committee to advise on whether the central bank should file a lawsuit against the Fed. The Bangladesh central bank has hired a lawyer to determine whether standard practices were followed by the Fed. The Fed claims that they took appropriate measures in transferring the funds from the Bangladesh central bank’s account.

The Bangladeshi central bank’s governor resigned after the attack and his replacement has ordered an overhaul of security procedures. As one of the world’s biggest cyber heists, the theft demonstrates the vulnerability of the electronic networks that underlie the global financial system.

Lessons for Canadian business

The advisory from SWIFT reportedly emphasizes that organizations should review, update and follow their cybersecurity practices. This advice applies to any organization, particularly those that handle money or transactions, as they will by their nature be targets.

The incident also highlights the vulnerability of computer systems and payment networks that form the backbone of global commerce. In an increasingly networked world, any one organization’s security is only as good as the security of the other participants in the network. The evolution of threat sharing among targeted networks and industries has recently taken a front seat in Canada with Canadian Cyber Incident Response Centre promoting the expected launch in Q1 2016 of the private sector not-for-profit Canadian Cyber Threat Exchange.

However, speaking at the Canadian Institute’s Privacy Law and Compliance Forum on on March 31, 2016, a representative of the federal Office of the Privacy Commissioner of Canada expressed concern about such information sharing. Noting that the new provisions introduced into Canada’s privacy legislation by the Digital Privacy Act do, in some circumstances, permit the sharing of personal information without knowledge or consent, he warned that organizations that do share such information “better be able to establish that it is necessary for this purpose” and had “better be able to justify why [the organization] has come to that conclusion”.