LAHORE: The last week has left the banking sector in shambles as reports of a countrywide cyber-attack estimated by industry experts at billions have emerged, shortly followed by notifications from banks informing their customers that all international payments have been blocked until further notice.
Earlier, Profit reported that a cyber-attack involving Bank Islami hit its customers to the tune of $6.5 million. Sources allege that the attack lasted 35 minutes and wiped multiple customers’ accounts, due to the bank’s negligence or some internal systems failure. However, the Bank later denied all such reports and claimed that a mere Rs2.4 million had been withdrawn from customers’ account which had already been reimbursed.
Following this development, the State Bank of Pakistan (SBP) also issued directives instructing banks to take precautionary steps to ensure customers’ data safety and block all international payments. Later in a statement, SBP Spokesperson Qamar Abid told Profit that the banks were only advised and it was completely at the banks’ discretion to follow these measures or not.
Meanwhile, in the sidelines reports have also emerged that this attack that seems to have only affected only one bank was rather an inside job. Internet Security Analyst Rafay Baloch in a series of tweets claimed that Bank Islami’s customers’ card details were being auctioned on the dark web for the public. He also alleged that a possible computer virus might have been the cause of such a widespread hack.
A week later the situation seems to have left many customers on the edge regarding data privacy and the banking accounts. Allied Bank and The Bank of Khyber former audit Chief Hermond Javed Bhatti told Profit, “The general public is slowly losing faith in the banking sector and with data breaches like these, coupled with the introduction of federal taxes on banking transactions and the latest money laundering cases, more and more customers are turning away from the formal banking sector to the informal sector in a bid to distance themselves from conspiracy.”
In the wake of the recent attacks MCB Bank (MCB), Allied Bank (ABL) and Summit Bank have issued press releases reassuring their customers. MCB is a statement said, “In wake of a recent incident of cyber crime related to fraudulent bank transactions due to the data breach, MCB Bank would like to assure its valued customers that the customers’ data is completely safe. Not a single customer has been affected in the incident/report publicised in media. Furthermore, the Bank reaffirms to remain vigilant and assure the integrity of its systems.”
Moreover, ABL said in a statement, “Allied Bank would like to assure its valued customers that Bank’s systems and customers’ data are absolutely secured and they can enjoy banking services both domestically as well as internationally with ease.” It added, “The Bank has already heavily invested in the past years on security and resilience of its systems to make them robust and reliable for safe and secure banking across all the channels. ABL is continuously engaged with the top of the line consulting firms for regular testing of its banking systems and infrastructure in line with best international practices. Allied Bank customers are also advised to inform the Bank before embarking upon international travel for use of their cards globally.”
Earlier on Tuesday SBP also issued a statement addressing the widespread rumours, “It has been noted with concern news items reporting that the data of most banks have been hacked. SBP categorically rejects such reports. There is no evidence to this effect nor has this information been provided to SBP by any bank or law enforcement agency.”
It added, “We would like to emphasize that except for the incident of October 27th, 2018 in which reportedly the IT security of one bank was compromised, no breach has been reported.”
“Nevertheless, SBP has already instructed all banks to take steps to identify and counter any cyber threat to their systems in coordination with international payment schemes. Representatives of payment schemes have also assured that all steps are being taken to help banks in identifying any cyber threat on card systems and have offered additional controls to them.”
“In addition to the above, some banks are putting in place further precautionary measures while others are confident of the security of their systems and continue to make all card transactions fully available to their customers. The precautionary measures by some banks include partial restrictions, such as requiring customers to seek prior approval for use in cross-border transactions, or in a few banks, a total restriction on cross-border transactions. However, SBP has been assured that all these temporary, restrictions would be lifted once appropriate IT security measures are in place. It is stressed, that all restrictions pertain only to cross-border transactions, and no bank has instituted any restriction on domestic transactions.
SBP is engaged with the international payment schemes, payment operators and banks to monitor the current situation continuously to ensure the security of the banking system.”
Meanwhile, the true extent of the breach is still ambiguous. However, according to media reports Visa, the international payment processor has taken Bank Islami to court involving the recent incident.
