World Bank's Network Breached?
Bank Refutes News Report of 'Unprecedented Crisis' The World Bank, an internationally-supported institution that provides loans to developing countries, is reported to have suffered a network intrusion that one insider labeled "an unprecedented crisis."The breach, first reported by Fox News, alleges that servers in the Washington, D.C.-based bank's treasury unit were infected with spyware, allowing the hackers to gain full access to at least 18 of the bank's computer servers for almost a month this past summer. No one knows exactly how much data may have been stolen, but one World Bank insider told FOX News that as many as 40 servers may have been penetrated, opening the doors to sensitive information such as staff documents and contract procurement data.
The World Bank, established in 1944, is a source of financial and technical assistance, providing low-interest loans, interest-free credits and grants to developing countries.
World Bank spokesperson Carl Hanlon denies that any information was breached. "The [Fox News] story is wrong and is riddled with falsehoods and errors," Hanlon says. "It cites misinformation from unattributed sources and leaked emails that are taken out of context."
Hanlon does concede, though, that the institution has been targeted by hackers.
"Like other public and private institutions, the World Bank has repeatedly experienced hacking attacks on its computer systems and is constantly updating its security to defeat these," he says. "But at no point has a hacking attack accessed sensitive information in the World Bank's Treasury, procurement, anti-corruption or human resources departments."
Making the Case
According to internal documents obtained by Fox News, the bank was notified of the intrusions by the FBI in September 2007, as the agency investigated another cybercrime case in Johannesburg, South Africa.
Passwords for all external webmail accounts were disabled for bank staff after this memo on July 22, 2008, which called the new developments an "unprecedented crisis" where "all hands on deck" were called to handle the password changes required for about 4500 staff.
A World Bank memo relates the initial break-in to its employees. "A minimum of 18 servers have been compromised. OIS (Office of Information Security) still does not know the full impact of the security breach or the amount of data that may have been compromised," the memo states.
A more recent memo from Guy-Pierre De Poerck, CISO at the bank, from August 19, 2008 tells World Bank staff to change personal passwords and begin using security tokens to access the bank's applications remotely, and to take the bank's security awareness course sooner. "The deadline for all bank staff to take the online information security awareness course is brought forward to December 31, 2008. This measure has been taken to ensure that staff members are aware of the kinds of attempts which may be made to capture their passwords through fake email and other scams," says De Poerck.
Hanlon says there was only one attempted break-in back in 2007, and the bank has done a number of security upgrades as a result. "Clearly it is of concern to us," Hanlon says. "We take this extremely seriously. At no time was any sensitive information accessed."
The World Bank does not answer to any government agency here in the U.S., other than the U.S. Treasury. It performs internal audits on its systems as a "self-regulated" entity, and receives "summary" approval of its security practices by its board of directors.
Sign of the Times
According to information security experts, breaches like the ones alleged to have occurred at World Bank are increasingly common - and tough to uncover. The best cyber criminals often leave no clues that a crime was committed, and will spend days, weeks and months waiting for an opportunity.
"The last time data thieves broke an actual sweat was 13 years ago, when all systems were in buildings behind locked doors - before the Internet," says Jon Brody at TriCipher, a Los Gatos, CA-based information security company. Brody predicts more such break-ins are occurring everywhere. "During tough times, you can imagine more ill-fated tradeoffs will be made, and more thieves will succeed more often."
Security experts say data thieves, once inside a computer network, will often install spyware to collect data and also install programs to look or "sniff" for access to other computers from vendors, partners and customers that communicate with that network in order to compromise them.
One third-party service provider was recently replaced by the World Bank. Those close to the action say that the reason behind the break was because forensic experts and bank investigators discovered that the vendor's computers may have been the source of the spy software suspected of causing the intrusions. The investigators found spyware, specifically a keystroke logger, had been installed on computers inside the bank's Washington, D.C. headquarters, possibly by the vendor's contractors.