According to independent cybersecurity analysts and some officials from Pakistan’s Federal Investigation Agency (FIA), a large-scale hacking operation attacked the nation’s banks beginning on October 27, reports revealed Tuesday.
In the most sensational accounts, the data breach was described as affecting “most” or “almost all” Pakistani banks, enabling the theft of sensitive personal information such as debit card numbers. Pakistan’s central bank pushed back against these reports on Tuesday and said the breach was much smaller than the most sensational claims, amounting to a credit-card scam that made off with only a few thousand dollars.
There clearly was a cyberattack of some sort in the last week of October, since a number of Pakistani banks announced the temporary suspension of international payment transactions, and the SBP (State Bank of Pakistan) central bank issued safety instructions on October 29. Pakistani media reports claimed some $6 million was stolen from an institution called BankIslami Pakistan.
The most alarming accounts of a truly massive data breach trace back to a Geo News quote from an FIA officer named Captain Mohammad Shoaib, sometimes described as the head of the agency’s cyber-crimes unit, but Geo News also identified him as a retired official. Whatever his status, Shoaib asserted that “almost all banks’ data has been breached” and “most of the banks have been affected” by the hack.
This quote immediately produced some rather sensational headlines. Dawn.com, for example, began its piece by calling Shoaib’s “almost all banks” comment a “shocking revelation,” but within a few paragraphs was talking about “hackers based outside Pakistan” penetrating the security of “several local banks” to steal “large amounts of money.”
There is quite a large difference between a raid on several banks and an attack that compromises the entire financial system of a nation. Shoaib’s point appears to be not that hackers burned down the firewalls of Pakistani banking and compromised the entire system over the past week, but rather that many smaller cases have been quietly reported over the years by banks reluctant to warn their customers that cyber-theft is on the rise.
Geo News followed up with an extensive report based on the work of a cybersecurity firm called Group-IB, which investigated the BankIslami caper and said even that was not a sudden, violent data breach. Instead, Group-IB said hackers stole a large number of credit and debit card numbers from various banks at some previous time and put 8,000 of them up for sale on a dark web forum on October 26, charging $100 to $135 for each stolen card number. A total of almost 20,000 card numbers appear to have been stolen and posted on dark websites.
The following day, BankIslami officials noticed a flurry of abnormally large transactions worth about $2.6 million and issued a press release, prompting the State Bank of Pakistan’s advisory to shut down international transactions until the situation could be sorted out. The fraudulent transactions do not themselves appear to be “hacking” activity, but rather stolen card numbers employed at automatic teller machines and cash registers in several countries, including the United States.
The credit and debit card numbers do not appear to have been stolen through cyber-espionage. One bank official noted the thieves themselves described it as “skimmed data” – i.e. stolen using card readers surreptitiously installed in cash machines and point-of-sale devices – and said there is no indication the banks themselves were “digitally compromised.”
The State Bank of Pakistan noted the sensational news reports of a massive data breach with “concern” and said it “categorically rejects such reports” in a statement released on Tuesday.
The central bank also pointed out that some news reports indicated the amounts appropriated with stolen credit and debit cards using dollars, but most of the numbers actually referred to rupees, which are currently worth less than a penny. Pakistan’s Computer Emergency Response Team estimated the total amount stolen so far was only about $20,000.