Eighty One Million Dollar Cyber Heist

I wrote recently about the Panama Papers, probably the largest and most significant data breach of our times. While the dust has settled for now, the breach cost the Icelandic Prime Minister his job and caused severe embarrassment to the British Prime Minister. Well, how about following that with the sobering tale of the world’s largest cyber heist to date? News is only now coming to light about the heist, which took place in February. Nearly $81 million was illegally transferred using the SWIFT interbank network from the Bangladesh Central Bank’s account with the Federal Reserve Bank of New York. The funds were transferred from New York to a Chinese businessman’s account in the Philippines. They were then transferred to local Filipino casinos for laundering, and the businessman in question – whose accounts have now been frozen – claims that his signatures on the fraudulent transactions had been forged. The fraudulent transfers took place on Friday February 5th, a day when the Bangladesh bank was closed, but the fraudulent transactions were not identified until the next day due to a ‘printer problem’. The Federal Reserve Bank was then closed over the weekend, meaning that a full response was not possible until the following Monday – which was, in turn, a public holiday in the Philippines. Details of the hack were kept from the Bangladesh government for ‘several weeks’. While the governor and two deputy governors of the Bangladesh Central Bank have been replaced following the breach and the Bangladesh banking system branded ‘incompetent’, it could have been much, much worse. The criminals requested a total of 35 transfers from...

Card Details going cheap

We’ve written here, over the past twelve months, about some pretty significant data breaches. Some, like last October’s Talk Talk data breach, triggered an almost instant wave of spam and social engineering telephone calls. Elsewhere, the ‘dark web’ has long been the place for criminals to trade stolen data. The Daily Mail – last November – reported that a fraudster who called himself ‘The Martian’ was selling data stolen from Talk Talk for as little as £1.62 a time. Now, worryingly, stolen data has gone ‘mainstream’. The Times reported, on Saturday February 13th, that card data is now available for purchase on an openly available, if still illegal, website. The Times reports claims that details of 100,000 Brits were available on the site priced from just £1.67 per record, and that the site has been updated regularly with over 400,000 new records made available in the six weeks since the start of the year. The MP Keith Vaz, chairman of the home affairs select committee, described it as “deeply disturbing“, suggesting that the site could be funding terrorism and organised crime. He added  that  “The National Crime Agency must get this site closed.” and “I will be writing to the NCA to bring this to their attention.” One might hope that somebody at the NCA takes The Times. That said, the time of writing this, the site in question was still freely accessible, but even if it is taken down, the stolen data will doubtless be made available elsewhere. Update – a full week later the site was still publicly accessible. Stephen Orphei – the General Manager of the PCI...

Cybercrime is a threat

and British businesses can’t afford to ignore it As I wrote here at the beginning of last December, 2015 will surely be seen as the year of the big data breach, high profile data breaches at Ashley Madison, Carphone Warehouse, Talk Talk, Hilton Hotels and J D Wetherspoon made headlines. And rightly so as the personal details of some thirteen million people were compromised in those few breaches. And while some of those breaches were conducted by sophisticated ‘cyber pirates’, others were accomplished by disaffected teenagers. Other data breaches – such as that suffered at Morrisons, which compromised the personal details of some 100,000 Morrisons Staff – was a deliberate act by an employee ‘with a grudge’. While the board of Talk Talk concede that the cost of remediating their attack at ‘no more than £35 million’ the, relatively small, Morrisons breach cost around £2 million to resolve. Anthony Hilton, writing in the London Evening Standard (here) described Cyber crime as a “threat that British businesses can’t afford to ignore”. Hilton cites a study by the Centre for Economic and Business Research that suggested that 60% of surveyed businesses were ‘confident that their security would keep an attacker at bay’, brave words when you consider a survey by PwC suggesting that ‘90% of large companies and 74% of small companies had experienced some kind of breach in the previous 12 months, and most had experienced more than one – the average was four’. The CEBR survey also suggests that 14% of companies have never had a board briefing on cyber security, and 32% have never prepared a formal risk assessment....

Talk Talk hit by major data breach

Once again, a major data breach has hit the headlines, this time it’s Talk Talk. The company claims that ‘there is a chance that… Credit card details and/or bank details’ of up to 4 million customers may be compromised in a ‘significant and sustained cyber-attack’. I wrote here back in July that cyber terrorists were an emerging threat, and the Cyber security consultant and former Scotland Yard detective Adrian Culley told BBC Radio 4’s Today programme that a Russian Islamist group had posted online to claim responsibility for the attacks. He said that hackers claiming to be a cyber-jihadi group had posted data that appeared to be private information from TalkTalk customers’ private information – although he stressed their claim was yet to be verified or investigated. As Daniel Dresner a Lecturer in Information and cyber security and governance at Manchester University’s School of Computer Science observed on BBC ‘Breakfast’ on October 23rd – “There’s four million customers, if they (the hackers) do four million one pound transactions, that’s not a bad haul.” Stephen Orfei the General Manager of the PCI Security Standards Council observed at the PCI Congress in Berlin in 2014 that payment card fraud was like a water filled balloon, you squeeze one place and it appears someplace else. And we all know that Chip & Pin has, since its introduction in 2004, greatly reduced ‘Customer Present’ fraud in the UK. As Stephen Orfei observed the crime isn’t going away, and why steal a single credit card when you can potentially harvest four million? What does this mean to your business? While we acknowledge that the...