On the eve of Valentine’s Day, Malta’s second-largest bank was the target of a multi-pronged cyber burglary. A hacker organisation succeeded in wiring payments totalling 13 million euros (GBP 10.7 million) to a series of bank accounts located in the US, UK, Czech Republic and Hong Kong.
As relayed by Reuters and Maltese Prime Minister Joseph Muscat, the fraud was detected within the first few business hours on Wednesday 13 February, and the bank’s systems, as well as physical branches and ATMs, were shut down across the island for 24 hours as a precautionary measure.
Unfortunately, the Bank of Valetta (BOV) wasn’t the only victim. Banks everywhere are increasingly finding themselves targets of aggressive cyber-attacks. CI Blanco Mexico was hit by a similar Swift-related cyber attack that same day, and a dozen others have already reported hacks this year. Yet as Malta’s largest bank scrambles to find answers, the incident has probed cybersecurity experts to further question circumstances and what it tells them of worrying trends emerging in security breach reporting.
With 25 years experience in the FS cyber security space, Naveen Vasudeva, CEO of CISO International, immediately had concerns. “On average, it takes 280 days for a firm to understand that it has been compromised, which immediately leads me to speculate whether Malta’s core transactional system may have been compromised for a while.”
If this were the case, it wouldn’t be the first time that the extent of an attack was slow to emerge. A quick to recall event is April 2018, when seven of the UK’s largest banks were caught in a multi-bank cyber heist. Similarly, in 2011, it was more than a month before the full details of a cyber breach at Citigroup, the third-largest US bank, came to light, revealing that data from 200,000 credit card holders had been stolen.
“Reputation can often be a reason for covering a timeline,” says Naveen, “especially if compromised security arose from internal issues – such as poor admin, poor patch management and inadequate sponsorship of a cyber security programme to invest in the right tools able to monitor or detect elaborate frauds. Staff – whether in a bank or a textile brand – can be a firm’s strongest line of defence, or their biggest weakness if unprepared. As a Microsoft report revealed recently, almost half of employees admitted they had no security training in the past 12 months.”
Such thoughts were echoed by Sam Oliver, Senior Product Specialist at award-winning human cyber risk management vendor CybSafe. “Even before the breach has occurred there are a few simple ways to minimise the risk, such as empowering your people to spot the risk and report it. In an industry as highly targeted as banking, attackers will often target the bank’s privileged-access users with social engineering across multiple vectors as a more direct route to their prize.
“Although the investigation is ongoing as to the root cause of the Malta breach, the level of the attackers’ access and conventional security wisdom would suggest that someone within BOV’s network was successfully targeted this time round. It’s important for organisations to be able to understand where they carry risk across their user base and manage that risk more effectively than just with training.”
For Faye Savage, one of Poland’s first female cybersecurity experts, who was recently responsible for building the country’s largest cybersecurity team, Malta’s incident underlined a poor chain of reporting. “The audit took place in the morning and they reportedly shut off BOV’s point-of-sale equipment within 30 minutes. But, according to shop keepers who used their service, these remained operational until 1pm, then began malfunctioning without warning.”
“Clear times and concise reporting are the standard levels of professionalism seen across the board in banking, and when found lacking it leaves bank personnel and third-party partners at serious risk,” explains Savage. “There must strong communication systems in place between a bank and their customers during a security crisis. In BOV’s case, it appears that clients and business-owners, which rely on their system for payments, were not specifically notified – neither on time nor appropriately. It was reported that the bank released a cyber attack statement to the media via text message. Perhaps the same courtesy could have been extended to customers.”
Antoine Bouveret currently works as a Senior Economist at the European Securities and Markets Authority (ESMA), but analysed the different types of cyber incidents in 2018 whilst working for the International Monetary Fund. According to his IMF working paper, which represents his own views and not those of the ESMA or the IMF, bank hacking is a problem aggravated by a lack of data output and quantitative frameworks.
“Data on cyber risk is notoriously scarce, since there is no common standard to record them, and firms have no incentives to report them. Moreover, international sharing of data reported to domestic regulators also has to take into account – beyond the typical privacy and other constraints – that there might be national security considerations in the sharing and reporting of data. In the US in 2011, the Securities and Exchange Commission (SEC) released guidance on disclosure of cyber risk for listed firms, which was revised in 2018 to provide additional details on how and when firms should disclose the information to investors. However, there is scope to provide a framework to report cyber attacks, which could better address existing data gaps.”
Bouveret makes the cutting point that financial sector is currently under-reporting successful and unsuccessful cyber-attacks,. But perhaps the most worrying trend to emerge is the steady increase of same-style financial crimes, which points to a slow uptake from institutions to learn from past mistakes and implement fraud-risk procedures in time.