Union Bank's July 2016 crisis - $171mn hacked
What's the story
In July'16, Union Bank of India faced a major crisis - hackers had swindled $171mn (Rs. 1,100cr) from its Nostro account (a bank's account holding foreign currency in another bank). With its swift response and assistance from other agencies, plus a simple mistake made by the hackers, Union managed to get back every cent within 60 hours. Find out how Union averted a disaster.
Beginning
The start of the crisis
"It was around 10:30am" on July 21, says MD Arun Tiwari. "The thing uppermost in my mind was I had to quickly get onto the money trail." By then, $171mn had already been debited to banks in Cambodia, Thailand, Taiwan and Australia. Tiwari informed RBI, the foreign ministry and the Indian Computer Emergency Response Team; he also roped in consultancy-firm EY the same day.
How?
How did it happen?
The breach, it was discovered, was caused by a spam email fraudulently marked from 'RBI', which had a malware attached. The mail was sent to 15 email IDs. Some of the mails were flagged by IT security, while a few employees realized it's a phishing attempt. But someone clicked on the link and the malware was released into the bank's servers.
Information
The hackers leave their footprint behind
The fraud was detected early due to a simple mistake the hackers made: they deleted their six entries, which was detected on Union's end-of-the-day balance report.
Aftermath
Union takes charge to recover stolen money
Officials began with network forensics; one of the first steps was to delink its "380-odd SWIFT pan-India connections", and centralize operations. However, it had to work with "limited resources". A floor was cordoned off at Mumbai's Union Bank Bhawan and employees involved asked not to leave till operations ended. On July 22, Union informed the trail had been traced and movement of funds suspended.
Fault
Union or SWIFT: Who's to be blamed?
Kiran Shetty, SWIFT India CEO, insists their system had "never been compromised"; he said they haven't received "full details" from Union either. Meanwhile, Tiwari maintained he cannot share details because he didn't have a copy. However, he says the measures undertaken subsequently included "the most stringent filtering". However, despite the best security measures in place, Tiwari said he wouldn't rule out future cyber attacks.
Prevention
What's being done to prevent such instances?
Shetty of Swift announced roadshows in five cities on awareness about cyber security. A customer security programme mandates 16 controls and advises another 11. He also said a fast rate of digitization necessitated increased investments on the cyber side too. The RBI has, meanwhile, recommended a chief information and security officer who reports directly to the board.