Top Dem probes security response to $81 million bank hack

The top Democrat on the Senate Homeland Security Committee is raising questions about the security of a global banking network after an $81 million hack of Bangladesh’s central bank.

“These cyberattacks raise important questions about the security of the SWIFT system and the ability of its members to prevent future attacks,” Sen. Tom Carper (D-Del.) wrote in a Thursday letter to New York Federal Reserve Bank President William Dudley and Society for Worldwide Interbank Financial Telecommunication (SWIFT) Managing Director Patrick Antonacci.

{mosads}In February, unknown hackers stole $81 million from the Bangladesh account at the Federal Reserve Bank in New York in what is considered the largest cyber heist in history.

Security researchers with the British defense contractor BAE Systems said last month that hackers exploited a flaw in a client messaging software known as Alliance Access.

The software comes from the Brussels-based SWIFT, a collective owned by more than 3,000 financial institutions. Banks across the world use the system to exchange information about financial transactions.

SWIFT has said that its systems were not breached in the incident, arguing its customers are responsible for securing computers connected to the messaging network.

“At the end of the day, we weren’t breached. It was, from our perspective, a customer fraud,” SWIFT CEO Gottfried Leibbrandt said at a financial conference in Frankfurt earlier this month.

But SWIFT has also issued a notice to its customer banks saying the breach was part of a broader effort targeting the global financial system. A Vietnam bank recently announced that it disrupted an attempted cyber theft that involved the malware used to compromise SWIFT’s software in the Bangladesh heist.

Some U.S. banks — including J.P. Morgan Chase — have begun limiting some employees’ access to the software as part of a broader policy to review systems after news of a threat.

The New York Federal Reserve has also denied culpability in the incident, saying it followed normal procedures and that there are no indications its own systems were breached.

According to an internal Bangladesh Bank report, the hackers tried to issue 35 payment instructions to the New York Fed, 30 of which were denied. The breached bank is reportedly weighing legal action, calling the incident “a major lapse on the part of [Federal Reserve Bank] NY.”

Carper pressed both Dudley and Antonacci on how their organizations are responding to the attacks and requested that both arrange a staff briefing on the matter.

“Congress has a responsibility to continue to strengthen our nation’s cybersecurity, including ensuring that the system used by our banks to engage in cross-border transactions is secure,” Carper wrote.