Bank of Valletta may never be able to retrieve the entire €13 million stolen during Wednesday’s cyberattack because reversing such transactions was no easy feat, Times of Malta has been told.
Speaking a day after the bank was forced to temporarily shut down all its operations after it identified a breach, chief business development officer Kenneth Farrugia said that although the 11 transactions made by the hackers had been immediately traced it was not as straightforward to actually reverse the transactions to get the money back.
“We know where the money went and into which banks but what happened at that touchpoint we do not have the visibility to know.
“It’s not simply a matter of asking the banks for the money to be reversed. It does not work like that and there are banking procedures that have to be implemented,” Mr Farrugia said.
He would not even give an indication of how much, if any, of the stolen money had already been retrieved, insisting it was “still too early”. Neither would he go into whether the bank had any information on how much it could eventually get back.
All of the bank’s operations – branches, ATMs, mobile banking and even e-mail services –were suspended at about 1pm on Wednesday after problems in international transfers were detected during the daily reconciliation process in the morning.
The bank has still to establish who was behind the attack, with Mr Farrugia again saying it was still early days for such information to be available.
It’s not the leg from the client to us but from ours to the outside
“At this stage, we don’t know. There isn’t a yes or no answer because the entry points can be through various channels. You can have someone using a USB, someone who received an e-mail with malware in it, through internet banking, etc.
“We have started eliminating by looking at audit logs to try and find out where this came from and what the entry point was. But we have yet to determine the source,” Mr Farrugia continued.
Mr Farrugia noted it was too early to reach any conclusions as to where the cyberattack originated from or whether there was the possibility of potential insider involvement.
He did point out, however, that the breach only involved money and no personal data was leaked.
“We did not have any breach of personal data. Whoever carried out the hack did so for the value. They did not go beyond the payment process that involved our bank,” he specified.
The bank could immediately establish that clients’ accounts remained untouched despite hackers making away with €13 million because a very particular system was breached, Mr Farrugia added.
“They breached our payment processing system from our own account. It’s not the leg from the client to us but from ours to the outside.
“We immediately identified that one leg was working properly but then there were problems with the other leg, where 11 more transactions were found,” he noted.
Mr Farrugia said that while the bank had a business continuity plan, with branch managers being informed of the procedures that would be implemented had the bank remained offline, there was no need for such a plan to kick in because everything was up and running by early yesterday morning.
The only service not yet operating on Thursday was that of payments to third parties and Mr Farrugia said work was under way to restore it, though he could not say when.
The Social Security Department said in a statement social security payments would be deposited as normal tomorrow. Beneficiaries would find the relevant payments in their accounts as usual, it noted.