When hackers attacked the Bangladesh Bank network in February, stealing $81 million - touted by many as one of the biggest bank heists so far - nobody knew that cyber attackers have been able to send what looked like 'legitimate' SWIFT money transfer instructions.
It was only recently that SWIFT network - the global messaging network through which financial institutions send payment instructions through a system of codes - acknowledged that "it is aware of a number of recent cyber incidents in which malicious insiders or external attackers have managed to submit SWIFT messages from financial institutions' back-offices, PCs or workstations connected to their local interface to the SWIFT network".
SWIFT Network is used by 11,000 banks and financial institutions to send banking transaction instructions. The network processes around 25 million messages daily for transactions worth billions of dollars.
SWIFT in an official statement has said that it is not their network that has been breached but that of its customers. "We reiterate that the SWIFT network itself was not breached. our core messaging services have not been compromised. There is a full investigation underway, on what appears to be a specific and targeted attack on the victim's local systems. SWIFT is not in a position to comment on the outcome or conclusions of this investigation at this stage. Our priority at this time is to encourage customers to review and, where necessary, to reinforce their local operating environments."
However, the fact that the hackers have been able to breach some of the most secure financial networks is a stark reminder that we were probably a few clicks away from losing not only our money to cyber pirates, but also our identity and other sensitive information.As every detail and data under the sun is getting digitised and stored in secure codes in computer servers across the world, the danger of them being exposed to unscrupulous computer geeks breaking into secured networks has grown manifold.
Attacks getting bigger
The attack on a Bangaldesh Bank system is just another example of how even the most high-profile secured computer systems are not safe. In one of the biggest examples of data theft and cyber attack in recent times, hackers broke into the system of Office of Personnel Management in the US and stole four million biometric data, though, unofficially, the number was pegged at 18 million. In yet another example, hackers had breached the payment systems of Home Depot - an online home improvement retailer -and stole 56 million debit and credit card details of customers in September 2014.A month later, in October, JP Morgan Chase & Co. systems were attacked and 75 million-80 million records were compromised. In the dating website Ashley Madison cyber attack case, hackers had gained access to millions of customer information, including names and emails, and made it public, causing a lot of embarrassment to many of its subscribers.
In yet another case, hackers had leaked personal information of employees and copies of unreleased movies of Sony Pictures Entertainment in November 2015. While the monetary loss could not be ascertained, the film studio had to set aside $15 million to deal with losses caused by the hack.
"These attacks are not necessarily always for immediate monetary gain - this, however, continues to be the main motive of attackers - some breaches can be for purely with the objective of causing loss of reputation to an organisation. But invariably, there is huge cost attached (in the form of damages paid and lawsuits, etc.) to such attacks," says Reshmi Khurana, Managing Director and Head of South Asia, Kroll, a company which provides risk solutions to its customers.
In the case of Ashley Madison leak, the company is facing a $578-million lawsuit by clients. In the Home Depot case, the company is likely to pay $20 million in compensation to consumers affected by the data breach.
India not insulated
In India, we have not yet heard of such large-scale cyber attacks. However, as domestic institutions are getting more and more integrated to global systems we are becoming vulnerable to such threats.
According to data from CERT-IN, a government nodal agency that deals with cyber security threats, the number of cases increased almost five times from 22,060 in 2012 to 105,301 in 2014.
Besides, given the pace at which India is digitising its citizens' records - biometric details, tax returns, PAN, to name a few - we are as prone to cyber attacks as any country in the West. If the US Office of Personnel Management data can be breached, so can the biometric data collected through Aadhaar.
"The biggest challenge with biometric data getting stolen is that these details are not just unique and very specific to individuals, but they cannot be changed once they have been stolen," says Atul Gupta, Partner, IT advisory, KPMG in India.
Undermining the Risk
Cyber security experts say the risk is enormous, but there is lack of urgency at many levels. Says Gupta: "Our fundamental view is that it is no longer a technology risk, it is a business risk and until organisations are mature enough to start looking at it as a business risk, the risk of such attacks will be very significant."
Experts also believe the level of awareness about the risks of data theft is not very high in India. "People do not realise that personal data stolen can be used by hackers to assume the identity of a person to take loan, credit cards and even use it to avail social security benefits," says Khurana.
The breach can happen at any level. Therefore, Gupta says, whenever organisations engage with a third party, they must also give proper importance to its cyber security system. "In most cases, however, the due diligence process is mostly about the third-party's financials and not so much about its cyber security structure," he adds. The key to avoiding cyber security threats is to identify the most vulnerable assets, say cyber experts, as given the frequency and scale of cyber attacks, such negligence can prove too costly.