SBP rejects FIA claim of data theft from 'almost all' Pakistani banks

ISLAMABAD: As the local banking industry reels from reports of a potentially massive cyber security breach, the State Bank of Pakistan and the Federal Investigation Agency appeared to be in conflict with each other over the true scale of the attack.

The FIA’s cyber-crime chief set off alarm bells on Tuesday when he said that customers’ data from "almost all major Pakistani banks" was stolen in the security breach, after a recent report from Group-IB, a global cyber security firm, claimed that hackers had released a new dump of Pakistani credit and debit cards on dark web forums.

"Almost all [Pakistani] banks' data has been breached. According to the reports that we have, most of the banks have been affected," Director of FIA Cyber-Crimes wing Captain (retd) Mohammad Shoaib told Geo News.

Concerns about a breach of credit and debit card data spread in the banking circles, after a cyber-attack on Bank Islami last week siphoned off at least Rs2.6 million from its accounts. By the end of last week, at least six Pakistani banks had suspended usage of their debit cards outside the country and blocked all international transactions on their cards.

The State Bank, however, rebutted the FIA official’s statement saying there was “no evidence that banks’ data had been breached, except for one” bank – that being Bank Islami.

“It has been noted with concern news items reporting that the data of most banks has been hacked. SBP categorically rejects such reports. There is no evidence to this effect nor has this information been provided to SBP by any bank or law enforcement agency,” the central bank said in a press release.

“We would like to emphasize that except for the incident of October 27th, 2018 in which reportedly the IT security of one bank was compromised, no breach has been reported.

“Nevertheless, SBP has already instructed all banks to take steps to identify and counter any cyber threat to their systems in coordination with international payment schemes.

“Representatives of payment schemes have also assured that all steps are being taken to help banks in identifying any cyber threat on card systems and have offered additional controls to them,” the statement read.

The State Bank added that some banks are also putting in place further precautionary measures while others are confident of the security of their systems and continue to make all card transactions fully available to their customers.

“The precautionary measures by some banks, include partial restrictions, such as requiring customers to seek prior approval for use in cross-border transactions, or in a few banks, a total restriction on cross border transactions.

“However, SBP has been assured that all these temporary, restrictions would be lifted once appropriate IT security measures are in place. It is stressed, that all restrictions pertain only to cross-border transactions, and no bank has instituted any restriction on domestic transactions.

“SBP is engaged with the international payment schemes, payment operators and banks to monitor the current situation continuously to ensure security of the banking system,” the central bank added.

Cyber security experts say details of more than 19,000 debit cards from 22 Pakistani banks have been stolen in the cyber theft, the biggest of its kind to hit the country's banking system.

The breach surfaced on October 27, when officials at Bank Islami noticed abnormal transactions of unusually large amounts on one of its international payment card schemes.

During these transactions a cybercrime group cashed out $2.6 million, according to global cyber security firm Group-IB.

Group-IB further said hackers had released a new dump of Pakistani credit and debit cards on dark web forums on October 26. The hackers put up the dump, titled "PAKISTANWORLD-EU-MIX-01" with over 10,467 records, on sale on Jokerstash—a virtual Darkweb hub of stolen card data used by hackers as a distribution point for compromised accounts.

More than 8,000 of the cards in the dump belonged to at least nine Pakistani banks and were available for prices ranging from $100 to $135 each.

Bank Islami issued a press release on October 28 announcing that they had become the victim of a cybercrime attack.

The State Bank followed by issuing its own security instructions, saying the compromised cards were cashed out via ATM and POS in different countries including USA and Russia.

Also read: How to guard yourself against credit/debit card theft

The FIA’s cyber-crime chief did not reveal exactly when the security breach took place that had affected most Pakistani banks.

“More than 100 cases [of cyber-attack] have been registered with the FIA and are under investigation. We have made several arrests in the case, including that of an international gang [last month],” Capt (retd) Shoaib said.

He shared that the FIA had written to the banks in question and was summoning the banks’ representatives to discuss the situation.