Photo by Markus Spiske on Unsplash
What Could Have Been Done To Prevent Bank Syariah Indonesia's Cyber Attack?
A major cyber attack on Bank Syariah Indonesia (BSI), one of the largest Islamic banks in the country, has resulted in a massive data breach that exposed the personal and financial information of millions of customers and employees.
The attackers, who identified themselves as the LockBit ransomware group, demanded a ransom of $20 million to not leak the data on the dark web, but the bank apparently did not pay.
The hackers then published the data on their leak site on May 15, 2023, and urged the customers and partners of the bank to sue them for negligence.
How It All Began
According to the hackers, they launched the attack on May 8, 2023, and were able to completely stop all services of the bank, including ATM and mobile banking. They claimed that the bank's management lied to their customers and partners that it was due to technical work being carried out. The hackers said they accessed 1.5 terabytes of confidential data from the bank's servers, including:
Nine databases of personal information of over 15 million individuals, including customers and employees. This included names, phone numbers, addresses, account data, card details, transaction details, etc.
Legal documents, such as non-disclosure agreements (NDAs), contracts, and reports.
Passwords of all internal and external services in the bank.
The hackers gave the bank a deadline of 72 hours to make the ransom payment and "settle the matter". They also warned the bank's customers and partners to stop any cooperation with the company if they did not contact them for settlement.
What Happened Next
The bank did not respond to the hackers' demands or threats. On May 15, 2023, the hackers published the data set allegedly stolen from the bank on their leak site. They also posted a message to the users of BSI, saying that they did not receive any ransom from the target.
They accused the bank of being irresponsible and incompetent, and said that they could not get their systems back to work even after a week of being taken down. They claimed that the users would find their data leaked on the dark web, and advised them to turn to "court, and make a class action lawsuit".
The data breach was reported by several media outlets and security researchers who verified the authenticity of some of the leaked data.
How This Type of Data Breach Can Affect a Bank and Its Customers?
The consequences of this data breach for a bank and its customers can be very serious and costly. Some of the possible consequences are:
Identity theft
The hackers can use the personal information of the customers and employees to impersonate them and commit fraud, such as filing tax returns, securing bank loans, opening credit cards, renting properties or even getting a job.
Financial losses
The hackers can use the financial information of the customers and employees to access their bank accounts, transfer funds, make purchases, or sell their data to other criminals.
The bank can also face fines, lawsuits, compensation claims, and increased insurance premiums.
Loss of productivity
The bank can suffer from operational disruptions, system downtime, data recovery efforts, and increased security measures.
The customers and employees can also spend a lot of time and resources to deal with the aftermath of the breach, such as changing passwords, monitoring credit reports, freezing accounts, or disputing charges.
Ruined credit
The hackers can damage the credit scores of the customers and employees by opening new accounts, maxing out credit cards, or defaulting on loans in their names.
This can affect their ability to get other financial services or opportunities in the future. This can cause embarrassment, harassment, blackmail, or even physical harm.
Losing customers
The bank can lose the trust and loyalty of its customers and partners who may switch to other providers or competitors who offer better security and privacy.
This can result in reduced revenue, market share, and growth potential.
Damage to reputation
The bank can suffer from negative publicity, media scrutiny, regulatory investigations, and customer complaints that can tarnish its brand image and credibility.
This can affect its ability to attract and retain customers, employees, investors, and partners.
Loss of intellectual property
The hackers can steal the bank’s proprietary information, such as trade secrets, business plans, strategies, or innovations that give it a competitive edge.
This can result in loss of market value, competitive advantage, or legal rights.
How To Prevent This Type of Data Breaches?
The data breach has exposed the vulnerabilities of BSI’s cybersecurity system and practices. To prevent future attacks, the bank should take the following steps:
Conduct a thorough investigation of how the breach occurred and who was responsible.
Notify all affected parties of what happened and what actions they should take to protect themselves.
Implement stronger security measures, such as encryption, firewalls, multi-factor authentication, and regular backups.
Train staff on cybersecurity awareness and best practices, such as using strong passwords, avoiding phishing emails, and reporting suspicious activities.
Monitor network activity and system performance for any signs of intrusion or compromise.
Update software and hardware regularly to patch any vulnerabilities or bugs.
Hire external experts or consultants to audit and improve cybersecurity posture and compliance.
What Steps Bank Syariah Indonesia (BSI) Could Have Been Taken?
According to cybersecurity experts and best practices, there are several steps that BSI could have taken to prevent or mitigate the LockBit data breach. Some of these steps are:
Update and upgrade software
BSI should have applied all software updates and patches as soon as they were available, ideally by automating this process.
Cybercriminals can exploit vulnerabilities in outdated or unpatched software to gain access to systems and data.
Limit and control account access
BSI should have adopted a zero-trust framework for account privileges, granting them sparingly only as users needed them.
BSI should also have documented procedures for securely resetting credentials or used a privileged access management tool to automate credential management.
BSI should also have updated its onboarding and offboarding procedures to align with a zero-trust approach. These measures could have prevented hackers from using stolen or compromised credentials to access systems and data.
Enforce signed software execution policies
BSI should have ensured that its operating system protected itself using a secure boot, which ensures that devices boot using only secure software.
BSI should also have enforced signed software execution policies for scripts, executables, device drivers, and system firmware. Allowing unsigned software could have given hackers an entry point.
Formalize a disaster recovery plan
BSI should have crafted a disaster recovery plan (DRP) that addressed data protection, data restoration, offsite backups, system reconstitution, configurations, and logs.
A DRP could have helped BSI to quickly recover from the attack and minimize the damage. BSI should also have continuously reviewed and updated its DRP to identify any gaps.
Encrypt data
BSI should have encrypted its data both at rest and in transit, using strong encryption algorithms and keys. Encryption could have made it harder for hackers to access or use the stolen data.
Implement multi-factor authentication
BSI should have implemented multi-factor authentication (MFA) for all its internal and external services, requiring users to provide more than one piece of evidence to verify their identity.
MFA could have added an extra layer of security and reduced the risk of credential theft or misuse.
Actively manage systems and configurations
BSI should have regularly scanned and taken inventory of its network devices and software, removing any unnecessary or unexpected hardware or software from the network.
This could have reduced the attack surface and established control of the operational environment.
Train staff on cybersecurity awareness
BSI should have trained its staff on cybersecurity awareness and best practices, such as using strong passwords, avoiding phishing emails, and reporting suspicious activities.
This could have enhanced the human factor of cybersecurity and prevented human errors or negligence that could have facilitated the attack.
Monitor network activity and system performance
BSI should have monitored its network activity and system performance for any signs of intrusion or compromise.
This could have helped BSI detect and respond to the attack in a timely manner, and prevent or limit the data exfiltration.
Update software and hardware regularly
BSI should have updated its software and hardware regularly to patch any vulnerabilities or bugs.
This could have improved the security and performance of its systems, and prevented hackers from exploiting any weaknesses.
Hire external experts or consultants
BSI should have hired external experts or consultants to audit and improve its cybersecurity posture and compliance.
This could have provided BSI with independent assessments, recommendations, and solutions to address any gaps or issues in its cybersecurity strategy.
Conclusion
The data breach on BSI by LockBit is one of the largest and most damaging cyber attacks on a financial institution in recent history. It has exposed the personal and financial information of millions of customers and employees to hackers who demanded a ransom of $20 million to not leak the data on the dark web.
The bank did not pay the ransom and ignored the threats of the hackers who then published the data on their leak site on May 15.
The breach has serious and costly consequences for both BSI and its customers and employees who may face identity theft, financial losses, loss of productivity, ruined credit, lack of privacy, losing customers, damage to reputation, and loss of intellectual property.
To prevent future attacks, the bank should conduct a thorough investigation, notify all affected parties, implement stronger security measures, train staff on cybersecurity awareness, monitor network activity, update software and hardware regularly, and hire external experts or consultants.