Anti-Money Laundering (AML) , Compliance , Cybersecurity

Bangladesh Bank Heist Probe Finds 'Negligent' Insiders

But Investigators Reportedly Blame Outside Hackers, Seek Compensation
Bangladesh Bank Heist Probe Finds 'Negligent' Insiders
Bangladesh Bank headquarters in Dhaka (via Google Street View)

An internal investigation into the February theft of $81 million from the central bank of Bangladesh reportedly found that a handful of negligent and careless bank officials inadvertently helped facilitate the heist by outside hackers.

See Also: Effective Cyber Threat Hunting Requires an Actor and Incident Centric Approach

Former Bangladesh central bank governor Mohammed Farashuddin told Reuters that the government-appointed panel investigating the heist blamed, in part, the five low-level and mid-level officials.

"They were negligent, careless and indirect accomplices," he told Reuters, adding that attackers had exploited vulnerabilities in the bank's information security defenses. "The committee came to the conclusion that the heist was essentially committed by external elements."

A Bangladesh Bank spokesman didn't immediately respond to a request for comment on the commission's findings or with whom they've been shared.

In the February heist, hackers attempted to steal $951 million from Bangladesh Bank's Federal Reserve Bank of New York account and move it into five accounts held at Rizal Commercial Banking Corporation in the Philippines via the SWIFT interbank messaging network.

Ultimately, Bangladesh Bank successfully recovered all but $81 million, which remains missing and appears to have been laundered via casinos in the Philippines. The heist is being investigated not only by Bangladesh police, but also by the FBI, Interpol and police in the Philippines.

To date, no arrests have been made in connection with the heist.

Farashuddin is calling on the bank to release the results of its internal investigation to demonstrate that while bank officials may have been negligent, they were in no way involved in the heist.

Likewise, Philippine Finance Secretary Carlos Dominguez tells Reuters that his government has "strongly recommended" that Dhaka share the results of its investigation into the heist. Dominguez last week met a Bangladesh delegation led by Anisul Huq, the Bangladesh government's minister for law.

Bangladesh First Blamed New York Fed

The Bangladesh Bank heist attack came to light in March, and Bangladesh Finance Minister Abul Maal Abdul Muhith said his government blamed the New York Fed for failing to block the transaction outright.

Both the Fed and SWIFT quickly countered, however, that the transfer request had been made using valid credentials, and ultimately blamed poor information security controls at Bangladesh Bank for having failed to prevent hackers from remotely accessing the bank's systems and deploying malware. But subsequent interviews with current and former bank officials suggested that "inertia and clumsiness" at the New York Fed didn't help (see Report: New York Fed Fumbled Cyber-Heist Response).

Subsequently, SWIFT launched a program aimed at ensuring that all SWIFT-using institutions maintain minimum information security policies and procedures, and it threatened to publicly name and shame any that failed to do so, which could, in effect, lead to some institutions being blacklisted from using the SWIFT messaging system (see SWIFT Will Begin Enforcing Mandatory Security Controls).

In addition, SWIFT warned that Bangladesh Bank was not the only institution to be targeted and said related attack campaigns were continuing.

RCBC Hit With Record Fine

In August, after conducting its own investigation into the heist, the central bank of the Philippines, Bangko Sentral ng Pilipinas, slammed RCBC, which it oversees, with a record fine of 1 billion pesos - equivalent to $21.3 million. In a statement, BSP said that the penalty represented "the largest amount ever approved as part of its supervisory enforcement actions on a BSP-supervised financial institution."

At the same time, BSP noted that RCBC was already taking steps "to strengthen its anti-money laundering and counter-terrorist financing risk management system and governance culture."

Bangladesh's law minister, Anisul Huq, told Reuters that the Bangladesh government views RCBC's payment of the fine as an admission of culpability in the Bangladesh Bank heist.

Huq also said that his government plans to share the results of its investigation into the Bangladesh Bank heist from with Philippine authorities. "It is part of cooperation. We will give them an update of our investigation," Huq told Reuters.

Bangladesh's related probe reportedly concluded in May.

Philippines Charges Bankers

Meanwhile, the Philippines has continued to take action. Last month, its Anti-Money Laundering Council, in a complaint to the country's justice department, filed charges against five current and former RCBC officials, Reuters reported.

A copy of the complaint seen by Reuters charged three current retail banking officials and two branch workers, as well as former RCBC treasurer Raul Tan, who resigned in April. The AMLC's complaint blamed Tan for failing to spot and investigate the suspicious transactions involved in the Bangladesh Bank heist.

"Tan could have convened the anti-money laundering committee to act on these red flags," the AMLC's complaint said, adding that Tan "willfully ignored them and failed to conduct thorough investigation," as is required by the country's laws and banking regulations.


About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the Executive Editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, amongst other publications. He lives in Scotland.




Around the Network