Fox News is reporting that the network of the World Bank Group has suffered from six major intrusions since mid 2007, including hackers gaining full access to the rest of the bank's network for nearly a month in June-July 2008. The most recent breach was last month.
The FBI are said to investigating the series of serious security intrusions, which is said to have affected at least 18 servers (some sources are claiming as many as 40), including systems responsible for security (such as the management of passwords) and human resources (where confidential personnel files are held).
Two of the intrusions are said to have been tracked to the same range of IP addresses based in China, but that does not necessarily mean that the attackers are Chinese or supported by the authorities in Beijing. Studies done by Sophos in the past have revealed that there is a large number of compromised computers in China, being controlled by hackers who could be based anywhere in the world.
Put simply - if you were going to illegally access the network of as high profile an organization as the World Bank, would you really use your own computer when it is so easy to take remote control of someone else's? It would be foolish, therefore, to jump to hasty assumptions as to the motivation or origin of these attacks.
One thing that has caught my eye is a memo reportedly sent to World Bank staff by CIO, Guy De Poerck, and a senior treasury official, trying to reassure employees that their own personal information was not put at risk. Part of the memo, published by Fox News [PDF], claims that the bank has since introduced secure authentication tokens for staff accessing their accounts remotely:
It is simply mind-boggling to believe that staff weren't already using secure authentication tokens (those little devices you keep on your keyring to give you a random number when you login to your account). Without them World Bank employees web-access accounts would be rich for the picking by keylogging spyware.
Another part of the memo is reported to say, "The deadline for all Bank staff to take the online information security awareness course is brought forward to December 31 2008":
December 2008? Ermm.. shouldn't this be made a little bit more of a priority? Every worker at every company should be made aware of security issues at their indusction into the organisation, and existing staff should be given regular refreshers. Waiting until the end of the year sounds like security is not being treated as seriously as it should be.
What we can all learn from this incident is that if this can happen to the World Bank it can happen to anyone. All firms, individuals, and organisations, need to take the appropriate steps to properly secure their data and prevent hackers from smashing into their networks.
For instance, why aren't more firms using encryption? If you encrypt your sensitive data (basically, turning your secret and confidential files into gobbledygook which can only be read if you know the right password) then even if hackers do manage to defeat your other defences they won't be able to steal your information.
One question that people are bound to be asking right now is "Is this connected with the current financial crisis?". I don't think we can necessarily link it right now - until we have more information about precisely what information has been stolen, we can only speculate as to what the intention was here. It's possible that it was just curious kids messing around and breaking into networks they shouldn't have rather than inspired by a financial or political motivation.
But it's important to remember one thing. The economy and the banking industry succeed because people have confidence and trust in them. If confidence and trust disappears then things get pretty difficult, and it takes time to restore. Although the implications for an organisation like the World Bank are obviously higher than a small store on the high street, it is still essential that companies do everything they can to ensure that they are seen as a firm who can be trusted to hold data securely, and that the public and organisations can have confidence in them.
If the Fox News report is true, then news of this hack couldn't have come at a worse time for the World Bank.
According to the latest update from Fox News, however, the World Bank is categorically denying the claims of the report:
It seems the rest of us will have to see what develops next. It's a long holiday weekend in America - what's the betting that there will be other financial news making the headlines by the time people return to their jobs on Tuesday?