Top officials in charge of Swift, the financial messaging and transfer system used by over 10,000 banks around the world, had suspected cybersecurity vulnerabilities in customer terminals 'for years' but failed to address concerns.
That's the accusation made by over a dozen current and former senior managers and board members of the Belgium-based organisation, who spoke to Reuters in the wake of a number of high-profile, and highly damaging, cyberattacks on banks using Swift mechanisms to transfer funds.
In a series of shockingly candid admissions, the executives claimed that Swift had not regarded the security of customer terminals as a priority until the February attack against the Bangladesh central bank, which successfully compromised $81m (£56m).
The managers claimed they did not receive vital information about hacking attempts but also admitted their own liability in failing to recognise the malicious intrusions.
Leonard Schrank, chief executive of Swift from 1992 to 2007, told Reuters: "The board took their eye off the ball. They were focusing on other things, and not about the fundamental, sacred role of Swift, which is the security and reliability of the system." Schrank said he was "broadly aware" of the security issues but failed to act. "I am partially responsible," he admitted.
The senior bosses said that Swift failed to track live security incidents and consistently failed to monitor the extent of how its smaller banks were handling security. As a likely result of this, millions of dollars remain missing from the Bangladesh central bank, while a slew of other institutions – including in Vietnam, Ecuador and Ukraine – also having reported hacking attempts.
Arthur Cousins, another former board member, said the organisation believed it was banking regulators around the world that were responsible for protecting smaller banks against hacking and fraud attempts, not Swift.
Meanwhile, a spokesperson for Swift has defended the organisation against the board members' claims, saying: "Swift and its board have prioritised security, continually monitoring the landscape and responding by adapting the specific security focuses as threats have evolved.
"Today's security threats are not the same threats the industry faced five or ten years ago – or even a year ago – and like any other responsible organisation we adapt as the threat changes."
As control of Swift still remains firmly under the control of large banks like Citibank, Deutsche Bank and PJ Morgan, most senior officials believed security was already taken of. However, many failed to take into account the thousands of institutions joining from emerging markets.
Alessandro Lanteri, who served on Swift's board between 1995 and 2000, indicated this was when the problems really started to take hold. He said: "The difficulty is always to keep the security system very effective when you deal with little banks and emerging countries. There, it is very difficult to be sure that all the procedures of security are managed in the correct way."
The assertion is backed up the numerous reports claiming the Bangladeshi bank, at the time of the hack, was using no firewall on its computer network and cheap routers to connect to the Swift network. However, it has also emerged that large organisations – including the New York Federal Reserve – may have also missed a number of 'red flags' in the run-up to what is now considered the largest financial cybercrime operation in history.