Data hacking: SBP asks banks to enhance due diligence to protect customers

ISLAMABAD: A racket of international professional hackers has stolen thousands of customers’ data of Pakistani commercial banks and sold it into Poland, Estonia and some other countries, raising fears that those making banking transactions from abroad through credit cards and ATMs would be deprived of their hard-earned money.

Pakistan has also decided to take up the issue with all those international channels as Visa card was also misused for hacking the data of thousands of customers. The government convened an emergency meeting here where the Governor SBP Tariq Bajwa also participated in which it was decided that all precautionary measures would be taken to avoid this financial fraud as early as possible.

One top official of the State Bank of Pakistan (SBP) confirmed to The News on Tuesday that after surfacing of financial scam into the Islamic bank, the central bank gave directives to all banks to enhance due diligence to protect customers.

The SBP has divided all banks operating in Pakistan into three main categories as there are banks including the largest commercial bank of the country where all safety protocols were in place and there was nothing to worry about. In the second category of banks, information technology was in place, but these banks were asked to verify strength of their systems so they were put into risk-prone category. All such banks have suspended their operations from abroad and they advised their customers to inform the banks prior to their departure if they wanted to use their credit cards and ATM cards in foreign countries.

In the third category, there are banks where the installed system was too weak and all these banks were directed to put in pace state-of-the-art system with all safety protocols till the end of this week, otherwise the SBP might take punitive actions against them.

The top official said that there was nothing to worry about domestic users of ATMs and credit cards and this scam had only affected those who were using banking instruments abroad. The official said that professional hackers had stolen data of customers from dark sites and sold into different markets of the world from which the fraud-related transactions were made in the last few days.

Now the law enforcing agencies, especially the Federal Investigation Agency (FIA), has launched a probe and actions against those involved in such heinous financial crime. If negligence was proved against banks on account of placing flawed system or some of their employees were found involved, then the long arm of law will move to take stern action against them.

Meanwhile, the SBP in a statement showed concern at the news items reporting that the data of most banks has been hacked. The SBP categorically rejected such reports. There is no evidence to this effect nor has this information been provided to the SBP by any bank or law enforcement agency.

"We would like to emphasise that except for the incident of October 27th, 2018 in which reportedly the IT security of one bank was compromised, no breach has been reported," the statement said. Nevertheless, the SBP has already instructed all banks to take steps to identify and counter any cyber threat to their systems in coordination with international payment schemes. Representatives of payment schemes have also assured that all steps are being taken to help banks in identifying any cyber threat on card systems and have offered additional controls to them.

In addition to the above, some banks are putting in place further precautionary measures while others are confident of the security of their systems and continue to make all card transactions fully available to their customers. The precautionary measures by some banks include partial restrictions, such as requiring customers to seek prior approval for use in cross-border transactions, or in a few banks, a total restriction on cross border transactions. However, the SBP has been assured that all these temporary, restrictions would be lifted once appropriate IT security measures are in place. It is stressed, that all restrictions pertain only to cross-border transactions, and no bank has instituted any restriction on domestic transactions.

The SBP is engaged with the international payment schemes, payment operators and banks to monitor the current situation continuously to ensure security of the banking system.