As the local banking industry reels from reports of a potentially massive cyber security breach, the State Bank of Pakistan and the Federal Investigation Agency appeared to be in conflict with each other over the true scale of the attack.
The FIA’s cyber-crime chief set off alarm bells on Tuesday when he said that customers’ data from “almost all major Pakistani banks” was stolen in the security breach, after a recent report from Group-IB, a global cyber security firm, claimed that hackers had released a new dump of Pakistani credit and debit cards on dark web forums.
“Almost all [Pakistani] banks’ data has been breached. According to the reports that we have, most of the banks have been affected,” Director of FIA Cyber-Crimes wing Captain (retd) Mohammad Shoaib told media.
Concerns about a breach of credit and debit card data spread in the banking circles, after a cyber-attack on Bank Islami last week siphoned off at least Rs2.6 million from its accounts. By the end of last week, at least six Pakistani banks had suspended usage of their debit cards outside the country and blocked all international transactions on their cards.
The State Bank, however, rebutted the FIA official’s statement saying there was “no evidence that banks’ data had been breached, except for one” bank – that being Bank Islami.
“It has been noted with concern news items reporting that the data of most banks has been hacked. SBP categorically rejects such reports. There is no evidence to this effect nor has this information been provided to SBP by any bank or law enforcement agency,” the central bank said in a press release.
“We would like to emphasize that except for the incident of October 27th, 2018 in which reportedly the IT security of one bank was compromised, no breach has been reported.
“Nevertheless, SBP has already instructed all banks to take steps to identify and counter any cyber threat to their systems in coordination with international payment schemes.
“Representatives of payment schemes have also assured that all steps are being taken to help banks in identifying any cyber threat on card systems and have offered additional controls to them,” the statement read.
The State Bank added that some banks are also putting in place further precautionary measures while others are confident of the security of their systems and continue to make all card transactions fully available to their customers.
The precautionary measures by some banks, include partial restrictions, such as requiring customers to seek prior approval for use in cross-border transactions, or in a few banks, a total restriction on cross border transactions.
“However, SBP has been assured that all these temporary, restrictions would be lifted once appropriate IT security measures are in place. It is stressed, that all restrictions pertain only to cross-border transactions, and no bank has instituted any restriction on domestic transactions.
