FIA, SBP at odds over theft of bank accounts data

Published November 7, 2018
State Bank denies reports of hacking.— Reuters/File
State Bank denies reports of hacking.— Reuters/File

ISLAMABAD: Amid conflicting reports about a wide breach of bank accounts data, the top investigation agency of the country and the State Bank of Pakistan were found at odds on Tuesday, with the latter claiming that neither any bank nor any law-enforcement agency came up with such information.

The Federal Investigation Agency said ‘international’ hackers were behind the data breach of all major banks and they were asked through the SBP to protect their data and money of their clients. But the State Bank categorically denied such reports and claimed that no such information or evidence had been provided to it.

The issue concerning bank account holders across the country also reverberated in the National Assembly on Tuesday when chairman of the Senate standing committee on interior Rehman Malik sought a comprehensive report from the SBP, the interior ministry and the FIA on the matter within 10 days.

To sort out the matter and devise a joint strategy to handle the issue, an important meeting of the heads of all major banks, the SBP and the top investigation agency is scheduled for next week though a couple of banks moved in the late evening hours to assuage consumer concerns by announcing that their data was completely safe.

State Bank denies reports of hacking; banks cyber security issue echoes in NA

According to the FIA, there is a surge in number of complaints that people have lost their money, running into millions, from their bank accounts due to hacking.

When contacted, FIA’s Cyber Crime Director retired Capt Shoaib told Dawn that complaints regarding online stealing of money from the bank accounts had increased over the past few weeks. He said, “It is the responsibility of the banks to protect the money of their clients.”

He said the data of all main banks of the country had been hacked by ‘international’ hackers and the management of the banks through the SBP had been asked to protect their data and money of their clients.

Only last week, he added, a resident of Islamabad was deprived of Rs2.7million by the hackers and due to FIA’s intervention, that bank paid back the money to the victim.

He said the managements of the banks had been advised to make their data security fool-proof, otherwise, they would lose confidence of account holders.

“The FIA has no mandate to provide shield to the banks against hackers, because it is the sole responsibility of the banks to make their own arrangements to prevent stealing of their data and money of their clients,” he explained.

Later on Tuesday evening, the State Bank finally broke its silence in a press release and denied the reports of a wider data breach.

“SBP categorically rejects such reports” it said. “There is no evidence to this effect nor has this information been provided to the SBP by any bank or law enforcement agency.”

But the IT security firm whose report triggered the entire affair, PakCert, told Dawn that they had indeed shared their report with the SBP on Nov 5. “The report was shared with the State Bank via email at 4:30pm,” said Qazi Mohammad Misbauddin Ahmed, whose name appears on the top of the report. “We even received a response from the recipient a half hour later acknowledging receipt.”

Asked about this report, the SBP spokesperson confirmed receiving the report in question, but said it contained no evidence of a breach of data. “Look at the report carefully,” he said. “All it contains is the name of a bank, the number of cards supposedly in the position of the fraudsters, and price at which the bin containing all these cards can be purchased. Quite likely this data itself is fake,” the SBP spokesperson added.

In order to verify the authenticity of the data contained in the PakCert report, he continued, a bank would need to purchase the data in the bin, then go through the data and match it with what they have in their own database. If there was a match, next step would be to see if any unusual transactions had been reported, he told Dawn. “The banks might carry out some sort of verification at their end, but until that is done, there is no way to say that this is authentic information” in the threat intelligence report produced by PakCert.

As the dark net is full of material of this sort and its authenticity is always difficult to establish, the FIA claimed that a meeting of SBP and all major banks had been called next week to devise a joint strategy to tackle the issue.

Taking a serious notice of the reported hacking of data of the country’s major banks, the opposition drew the attention of the government towards the issue and demanded effective steps to ensure security of bank data.

While speaking on the point of order, former federal minister Ahsan Iqbal raised the issue and urged the government to take effective measures to save the savings of account holders. He said it was quite serious that data of all major banks had been hacked by the hackers in other parts of the world.

“This is a serious matter and the government should address it,” he said.

In response to the concerns, Federal Education Minister Shafqat Mehmood assured the house that the government would take effective steps to protect the money of the account holders. “It is a very serious problem and the government will take action on it,” he added.

Earlier during the day, chairman of the Senate standing committee on interior Rehman Malik sought report from the interior ministry, SBP and FIA on the matter within 10 days. He directed the FIA to probe as to how the data of banks was hacked. “It is quite alarming that bank accounts details of hundreds of thousands of Pakistanis have been stolen,” he added.

Mr Malik, who served as interior minister from 2008-13, said banks were responsible for the security of bank accounts of people. “Ironically, the banks failed to protect the money of their clients,” he said.

Meanwhile, individual banks moved to assuage consumer concerns. MCB issued a late night statement saying “customers’ data is completely safe. Not a single customer has been affected in the incident/ report publicized in media.” Likewise, Sindh Bank assured its customers that “their data is completely secure and is not subject to any internal or external risk”. Other banks are expected to follow suit.

Published in Dawn, November 7th, 2018


21 Jan, 2022

Emergency rumours

ISLAMABAD is once again in the grip of rumours. The latest issue finding traction revolves around a mysterious...
21 Jan, 2022

TTP attack

MONDAY night’s assault on a police party in Islamabad, which left one cop dead and two injured, marks a ...
21 Jan, 2022

Murree suspensions

ON Wednesday, the Met Office issued a red alert for more heavy snowfall in Murree over the coming weekend, and...
20 Jan, 2022

Too great a divide

THE government’s offer of talks to the opposition on electoral and judicial reforms is a welcome development in a...
Military inductees
Updated 20 Jan, 2022

Military inductees

Giving preference to military personnel for appointments in civilian roles is exposing them to unnecessary controversy.
20 Jan, 2022

Suu Kyi charges

MYANMAR’S ruling junta seems determined to spin a complicated legal web around Aung San Suu Kyi to ensure that the...