On the day of Laxmi Puja, hackers mounted a cyber-attack on NIC Asia Bank using the SWIFT system (the most common system used to transfer money across banks globally) to steal millions of rupees. Though Nepal Rastra Bank (NRB) and NIC Asia are keeping mum on the largest cyber theft in Nepal until they conduct an investigation, sources peg the amount to be around Rs460 million.

It has come to light that the Information Technology (IT) department of the bank allowed employees to perform personal tasks, such as check their personal e-mails, via computers that were supposed to be used specifically to conduct SWIFT transactions. To add fuel to the fire, NIC Asia also allowed IT staff remote access to the server on which the SWIFT system was installed. All this points to a serious laxity in the way this bank, which handles assets valued over Rs101 billion, manages its IT department—a sector that is proving increasingly crucial with the rise of global banking transactions, e-commerce and e-banking.

This attack mirrors a similar one in February 2016, when Bangladesh Bank (BB)—the central bank of that country—was robbed of $81 million. The damage in this case could have been much worse; BB was able to block transactions worth $850 million from going through.

Similar attacks also occurred in South Korea in 2013 and in Vietnam around the time of the Bangladesh attack, though these were unsuccessful. It is clear in all these cases that some amount of human laxity can be blamed for the attacks.

The modus operandi in the NIC Asia attack, as with the others, seems to be the exploitation (at the user’s end) of the SWIFT inter-bank money transfer system, which counts in its membership more than 11,000 banks worldwide and is used to transfer billions of dollars a day. The hackers seem to have gained access to the SWIFT system using credentials of NIC Asia, thereby issuing 31 unauthorised instructions to transfer money from NIC Asia to banks around the world.

That the bank allowed its IT staff to have remote access to a secure server is worrisome. Connecting non-secure digital mediums, such as personal computers, to a secure network through the internet is a risky venture that adds unnecessary vulnerable points of access to the system. To allow the staff to open personal e-mails on a secure system is just blatantly disregarding the entire purpose of setting up a protected system in the first place. In addition to this, reports suggest that it was SWIFT and not the bank’s staff that tipped off the management about the leak. This leads to serious questions about the competence of the IT staff hired by the bank. NIC Asia also has gaps in senior IT management, with both the head and deputy head positions empty. In a world where more and more payments and transactions are digitised, banks need to put much more effort into constructing secure digital fortresses.