Reuters :
A Bangladesh government-appointed panel investigating the cyber-heist of $81 million from its central bank in February has found that five officials at the bank were guilty of negligence and carelessness, the head of the panel has told Reuters.
In his first detailed comments on the inquiry since a report was submitted to the government in May, former central bank governor Mohammed Farashuddin said on Thursday that the officials were low to mid-level and were not directly involved in the crime. “They were negligent, careless and indirect accomplices,” he said in an interview at his office. “The committee came to the conclusion that the heist was essentially committed by external elements.” Bangladesh has so far refused to make the inquiry report public, saying it wanted to deny the perpetrators of the crime knowledge of the investigation into one of the world’s biggest cyber-heists.
It was not immediately known if Bangladesh had shared the report with the US Federal Bureau of Investigation, the main agency investigating the crime.
Farashuddin did not name the officials he said had been negligent. A senior central bank official, speaking on condition of anonymity, said no action had been taken against any employee since the inquiry report had not been made public. Bangladesh Bank spokesman Subhankar Saha declined comment.
Although over 10 months have passed since the heist, there have been no arrests and no word on who were behind the complex heist.
Hackers used stolen credentials to try to transfer nearly $1 billion from Bangladesh Bank’s account at the Federal Reserve Bank of New York through the SWIFT transaction system. Many of the transfer orders were blocked or reversed, but $81 million was sent to accounts in a branch of Rizal Commercial Banking Corp (RCBC) in the Philippines.
The money eventually went into the sprawling casino industry in the Philippines, with most of it remaining untraced. Like Bangladesh police investigators, Farashuddin said the inquiry panel had also found that the hackers may have exploited loopholes in the bank’s online security when technicians hooked up the central bank’s local money transfer system with SWIFT’s international payments network late last year.
SWIFT has denied charges that its technicians were responsible for exposing Bangladesh Bank’s systems to hackers. Reuters had reported earlier that Bangladesh Bank had not protected its computer system with a firewall, and used second-hand $10 electronic switches to network computers linked to SWIFT, weaknesses that the hackers may also have exploited. Farashuddin said that RCBC was responsible for allowing the stolen funds to be withdrawn and disbursed into the casino industry.
Bangladesh has said it wants RCBC to compensate it for its losses. RCBC has said Bangladesh Bank was “negligent” in letting the initial security breach take place there, and hence the Manila-based bank need not pay any compensation. So far only about $15 million of the stolen funds have been recovered. Farashuddin said his personal opinion was that it would be better to release the findings of the inquiry into the public domain since it would make clear that some local officials were negligent but not responsible for the heist. “If the government makes the findings public, then Bangladesh Bank’s position will be strengthened,” he said. Bangladesh’s law minister said earlier this week that the government would share the findings of the inquiry with the Philippine authorities.
A Bangladesh government-appointed panel investigating the cyber-heist of $81 million from its central bank in February has found that five officials at the bank were guilty of negligence and carelessness, the head of the panel has told Reuters.
In his first detailed comments on the inquiry since a report was submitted to the government in May, former central bank governor Mohammed Farashuddin said on Thursday that the officials were low to mid-level and were not directly involved in the crime. “They were negligent, careless and indirect accomplices,” he said in an interview at his office. “The committee came to the conclusion that the heist was essentially committed by external elements.” Bangladesh has so far refused to make the inquiry report public, saying it wanted to deny the perpetrators of the crime knowledge of the investigation into one of the world’s biggest cyber-heists.
It was not immediately known if Bangladesh had shared the report with the US Federal Bureau of Investigation, the main agency investigating the crime.
Farashuddin did not name the officials he said had been negligent. A senior central bank official, speaking on condition of anonymity, said no action had been taken against any employee since the inquiry report had not been made public. Bangladesh Bank spokesman Subhankar Saha declined comment.
Although over 10 months have passed since the heist, there have been no arrests and no word on who were behind the complex heist.
Hackers used stolen credentials to try to transfer nearly $1 billion from Bangladesh Bank’s account at the Federal Reserve Bank of New York through the SWIFT transaction system. Many of the transfer orders were blocked or reversed, but $81 million was sent to accounts in a branch of Rizal Commercial Banking Corp (RCBC) in the Philippines.
The money eventually went into the sprawling casino industry in the Philippines, with most of it remaining untraced. Like Bangladesh police investigators, Farashuddin said the inquiry panel had also found that the hackers may have exploited loopholes in the bank’s online security when technicians hooked up the central bank’s local money transfer system with SWIFT’s international payments network late last year.
SWIFT has denied charges that its technicians were responsible for exposing Bangladesh Bank’s systems to hackers. Reuters had reported earlier that Bangladesh Bank had not protected its computer system with a firewall, and used second-hand $10 electronic switches to network computers linked to SWIFT, weaknesses that the hackers may also have exploited. Farashuddin said that RCBC was responsible for allowing the stolen funds to be withdrawn and disbursed into the casino industry.
Bangladesh has said it wants RCBC to compensate it for its losses. RCBC has said Bangladesh Bank was “negligent” in letting the initial security breach take place there, and hence the Manila-based bank need not pay any compensation. So far only about $15 million of the stolen funds have been recovered. Farashuddin said his personal opinion was that it would be better to release the findings of the inquiry into the public domain since it would make clear that some local officials were negligent but not responsible for the heist. “If the government makes the findings public, then Bangladesh Bank’s position will be strengthened,” he said. Bangladesh’s law minister said earlier this week that the government would share the findings of the inquiry with the Philippine authorities.