There are virtually no impenetrable computer systems but sometimes companies actually invite the bad guys to steal from them. Here at our IT support company, we had two appointments with potential new customers on the same day last week and in both cases, there were no backups being done.
A single hard disk crash or cryptolocker hit where the hacker doesn’t restore the data and either company would be out of businesses. Without warning. We are talking multimillion dollar businesses in both cases by the way.
You might have heard Bangladesh Bank was recently hit with a billion dollars of fraudulent transfers of which $82 million were successful and most of the money is now gone. $101 million in total was stolen but thankfully some of it was returned.
According to IDG news:
The technicians worked on Bangladesh's Real-time Gross Settlement (RTGS) system, used to transfer money among Bangladeshi banks, three months before hackers attempted to steal US$951 million from the central bank. The work opened up "a lot of loopholes" in bank computer systems, said the head of the criminal investigation department leading the investigation.
Now the police want to know if the technicians did this on purpose or were just negligent. The technicians did not follow usual security procedures, Bangladeshi bank and police officials told Reuters, leaving the bank's SWIFT messaging system remotely accessible, protected only via a simple password and no firewall.
To make a long story very short, the technicians should have isolated the system and not allowed it to be accessed wirelessly, from the internet or hacked via a thumb drive. In addition, no firewall was used.
Could this hack have been prevented? Absolutely, yes.
Had Bangladesh Bank simply hired any above-average IT consulting firm to work in tandem with the technicians, they would have added a firewall, cordoned off the server and done what was needed to be done.
In other words, it doesn’t matter if the intent here from the technicians was malicious or they were just a bunch of amateurs. It always makes sense to bring in a second set of eyes to ensure that technology is being implemented correctly and your company is secure and safe. This breach was a direct result of a lapse of good judgement from the bank stakeholders and should serve as an important lesson to every company with something important to protect.