10 cases of insider bank attacks

By Tal Eliyahu, Principal Cyber Security Consultant at SentinelOne

At least 60 percent of cyber-attacks in financial institutions are attributed to privileged users, third-party partners, or malicious employees. This occasionally happens through employee negligence, or when an employee has malicious intentions, leading them to commit deliberate sabotage. The threats have become hard to control since these types of threat factors normally use authorised information and are considered safe when accessing the organisational network. Banks and other financial institutions are considered one of the top targets and have lead to the loss of billions of customers’ records over the past few years. According to a 2018 Cost of Insider Threats: Global Organisations report  “a malicious insider threat can cost an organisation $2.8M per year, or an average of $604,092 (£498,125) per incident.”

Verizon has found that 77 percent of internal breaches were deemed to be by employees, 11 percent by external factors only, three percent by partners, and eight percent involved in some kind of internal-external collusion which makes them hard to categorise. An annual DBIR report states that since 2010, internal attackers account for almost one in five successful breaches.

A Gartner study on criminal insider threats found that 62 percent of insiders with malicious intent are categorised as people that are looking for a supplemental income. Important to note that seniority had little to almost no effect in this category. Just 14 percent of persistently malicious insiders were in a leadership role and approximately a third had sensitive data access.

Here are the aftermaths of insider threats across different banking institutions around the world.

JP Morgan Chase
A former employee reportedly sold personal identifying information (PII) and other account information, including the personal identification numbers (PIN) of bank customers. Hewas first exposed in 2014 when he sold account information to a confidential informant for a sum of $2,500. Later, he reportedly offered four additional accounts for approximately $180,000. Court documents showed that the employee in question told the undercover officer that he needed to “take it easy”, otherwise the bank may realise he had accessed all of the bank accounts that “got hit”.

JP Morgan Chase II
Another former JP Morgan Chase investment advisor, Michael Oppenheim  was accused in a civil complaint of stealing more than $20m from the bank’s clients between 2011 and 2015. Oppenheim claimed to have invested their money in low-risk municipal bonds and sent doctored account statements reportedly showing earned profits on those investments. Throughout the years, Oppenheim reportedly took steps to conceal his fraud: when a customer asked for a statement reflecting his municipal bond holdings, he created false account statements. Additionally, there were times Oppenheim copied the customers’ details onto an account statement reflecting the holdings of another customer, then provided the fabricated statement to convince the customer that he had purchased the municipal bonds as promised. In another instance, Oppenheim transferred money from one customer to another in order to replenish the funds he had previously stolen.

JP Morgan Chase III
It was reported that for over two years JP Morgan Chase bankers could access and issue ATM cards for the 15 accounts of elderly and deceased bank clients. Dion Allison was accused of stealing $400,000 from accounts by searching for customers with high, stagnant balances and Social Security deposits. With the help of two of the banker’s friends, the funds were withdrawn by using issued ATMs around NYC.

Morgan Stanley
In 2015, Morgan Stanley was forced to pay a $1m penalty for failing to protect their customers’ records after the company lost $730,000 in customer records to hackers. It was reported in a post published on Pastebin, where six million account records of Morgan Stanley clients were being offered. In the following weeks, a new post was shared on a website pointing to the Speedcoin platform. It featured a teaser of real records from 900 different accounts and provided a link for people interested in purchasing more. The activity was traced to Galen Marsh, an individual who was employed in the private wealth management division of Morgan Stanley. Marsh was originally a Customer Service Associate and then became a Financial Advisor in the Manhattan office, where he provided financial and investment services to particular private wealth management clients.

It was reported that Marsh conducted a total of approximately 6,000 unauthorised searches in the computer systems, and thereby obtained confidential client information, including names, addresses, telephone numbers, account numbers, fixed-income investment information, and account values, totaling approximately $730,000, from client accounts for about three years. Marsh uploaded the confidential client information to a personal server at his home. Ironically enough, the investigators confirmed that Marsh’s home-server was hacked, the very same server that was used by Marsh to exfiltrate customer data from Morgan Stanley.

‘The London Whale’
‘The London Whale‘ scandal resulted in over $6bn of trading losses to JP Morgan Chase. The claims included wire fraud, falsification of books and records, false filings with the Securities and Exchange Commission, and conspiracy to commit all of those crimes. The individuals’ intent remains unclear, while the charges pertaining to two former derivatives traders were dropped. The Department of Justice stated that it “no longer believes that it can rely on the testimony” of Bruno Iksil.

Wells Fargo
Wells Fargo reported insider fraud by employees who created almost two million accounts for their clients without their knowledge or consent. Wells Fargo’s clients took notice when they started receiving charges for fees they did not anticipate, together with credit or debit cards that they did not expect. Initially, the blame was placed on individual Wells Fargo branch workers and managers. The blame later shifted top-down to the opening of many accounts for clients through cross-selling. This insider fraud was engineered by particular managers of the bank in collaboration with other bank employees. By opening these accounts, Fargo employees were able to access credits illegally. The fraud led to the CFPB fining the bank an estimated $100m and a total of nearly $3bn when counting the remainder of the losses and fines.

Bangladesh Bank
In 2016, Bangladesh Bank underwent a cyber attack in which more than $81m disappeared without a trace. The attack, originally targeting $951m, was conducted through a series of transactions that were terminated when $850m was still to be transferred through the SWIFT network. Thirty transactions amounting to $850m were blocked by the Federal Reserve Bank of New York after suspicions arose due to a spelling mistake made by the perpetrators of the crime. Nearly $101m was transferred from Bangladesh Bank’s account at the New York Fed to Philippines-based Rizal Commercial Banking Corp under fake names, which later disappeared into the casino industry. Only $20m out of $101m that was originally traced to Sri Lanka was successfully recovered from Perera’s Shalika Foundation bank account. It is also important to mention that the Philippines’ Anti-Money Laundering Council has accused  even bank officials of money-laundering in a complaint filed at the country’s Justice Department. Good to note that there was no definite published evidence that these breaches were caused by insiders.

Punjab National Bank
Punjab National Bank in India parted with almost $43m after Gokulnath Shetty, a bank employee, used unauthorised access to a susceptible password in the SWIFT interbank transaction system. The fraudulent act was done to release funds in a highly complex transactional chain schemed up by Nirav Modi. It was reported that the bank officials issued a series of fraudulent “Letters of Undertaking” and sent them to overseas banks, then to a group of Indian jewelry companies.

A Letter Of Undertaking (LOU) is a document issued by a bank to a person or a firm. This LOU is generally used for international transactions and is issued by keeping in mind the credit history of the party concerned. The party can then avail Buyer’s Credit against this LOU from a foreign bank.

Suntrust Bank
In February 2018, Suntrust Bank became aware of an attempted data breach by a now-former employee who downloaded client information, which triggered an internal investigation that led to its discovery. It was reported  hat the compromised 1.5m client information data included clients’ names, addresses, phone numbers, and banking balances. However, the stolen data did not include information such as social security numbers, account numbers, PINs, and passwords. To combat the increasing concern of identity theft and fraud, Suntrust offered its clients services like credit monitoring, dark web monitoring, identity “restoration assistance”, and £824m identity theft insurance. In addition, the bank heightened its existing security protocols, like ongoing monitoring of accounts, FICO score program, alerts, tools, and zero-liability fraud protection.

Later, Morgan & Morgan filed a proposed class-action lawsuit in which they sought damages for the theft of the plaintiffs’ personal and financial information, as well as imminent and impending injury as a result of identity theft and potential fraud, improper disclosure of personally identifiable information, inadequate notification of the data breach, and loss of privacy.

Bank of America
It was reported that Bank of America lost at least $10m as a result of an insider threat that sold “about 300” customer data to cyber-criminals.

Related reading