Sumitomo Matsui Bank sophisticated hacking sends alarm signals

news alert

London, UK - 17 March 2005, 11:30 GMT - A criminal gang with advanced hacking skills has tried to steal GBP 220 million (USD 421 million) from the London offices of the Japanese banking group Sumitomo and transfer the funds to 10 bank accounts around the world. Intelligence on the attempted theft via key logging software installed on banks' computers has been circulating in security circles since late last year after warnings were issued to financial institutions by the police to be on the alert for criminals using Trojan Horse technology that can record every key stroke made on a computer.

Police at the National High Tech Crime Unit (NHTCU) in the UK have been investigating the case since October, when the gang gained access to Sumitomo's computer systems and tried to transfer the cash electronically to several bank accounts around the world. One of the most audacious bank thefts attempted in London for many years was uncovered just before any cash was transferred, in a joint operation with police forces. Israeli police have arrested a man whose business account had been the intended recipient of over GBP 10 million of the cash. The man has been charged with money laundering and deception.

When money and information are both digital, the key challenge for criminals is access to identity authentication details to seek access to valuables. If authentication is via a password only, identity theft is easier. The global computer dependent society is essentially in 'easy mode' on authentication but not for long as criminals exploit weaknesses in identity management, according to the mi2g Intelligence Unit.

Earlier this month, using stolen passwords from legitimate customers, intruders have accessed personal information on as many as 32,000 US citizens in a database owned by the information broker LexisNexis. At LexisNexis, criminals found a way to compromise the log-ins and passwords of a handful of legitimate customers to get access to the database. The FBI and the US Secret Service are both investigating the breach. The database that was compromised, called Accurint, sells reports for $4.50 each that include an individual's Social Security number, past addresses, date of birth and voter registration information, including party affiliation.

The announcement comes close on the heels of a series of similar high-profile breaches, the most serious affecting another large data broker, ChoicePoint Inc. in which a number of identities were stolen. The ChoicePoint case, as well as other data losses including one affecting some 1.2 million federal employees with Bank of America charge cards, have prompted an outcry for federal government oversight of a loosely regulated commercial sector. In the data-brokering business, sensitive data about nearly every adult American is bought and sold.

The global economic damage from all types of digital risk including overt and covert digital attacks, malware incidence, phishing scams, DDoS and spam is estimated to lie between USD 470 billion and USD 578 billion for 2004, more than double the damage calculated for 2003 by the mi2g Intelligence Unit. [Breakdown damages are available.] At an estimated 1.2 billion computer units worldwide, the damage per machine lies between USD 390 and USD 480 per machine. As of 2004, the damage caused by digital risk manifestations per machine is running equivalent to the average price of a new computer unit. In 2005 and 2006, the 'digital damage per machine' figure is projected to exceed the price of the machine significantly as the price of computers keeps coming down and the damage from digital risk carries on rising.

"The Sumitomo Matsui attempted heist is the tip of the iceberg that came to light. Banks are already beginning to shy away from their responsibility to compensate users in the event of an online fraud where they have issued warnings and the incapability of the user is to blame." said DK Matai, Executive Chairman, mi2g. "The present computing environment is not fool-proof and is not safe enough because of under-investment, inadequate training and incomplete authentication layers. This era is likely to come to an end with a bang. Triple layer authentication based on something you are, something you know and something you have is the way for the future. Users and government regulators will demand change and they have the collective power to influence the thinking of banks and computing vendors who have at times put profits and time-to-market before safety and security."

Digital risk damages are calculated by the mi2g Intelligence Unit on the basis of helpdesk support costs, overtime payments, contingency outsourcing, loss of business, bandwidth clogging, productivity erosion, management time reallocation, cost of recovery and software upgrades. When available, Intellectual Property Rights (IPR) violations as well as customer and supplier liability costs have also been included in the estimates.


is at the leading edge of building secure on-line banking, broking and trading architectures. The principal applications of our technology are:

1. D2-Banking;
2. Digital Risk Management; and
3. Bespoke Security Architecture.

mi2g pioneers enterprise-wide security practices and technology to save time and cut cost. We enhance comparative advantage within financial services and government agencies. Our real time intelligence is deployed worldwide for contingency capability, executive decision making and strategic threat assessment.

mi2g Research Methodology: The Frequently Asked Questions (FAQ) List is available from here in pdf. Please note terms and conditions of use listed on www.mi2g.net

Full details of the February 2005 report are available as of 1st March 2005 and can be ordered from here. (To view contents sample please click here).

Renowned worldwide for the ATCA Briefings. Subscribe now.
Home - Profile - Values - People - Careers - Partners - Contact Us
D2 Banking - Bespoke Security Architecture - Digital Risk Management - Tools

Intelligence Briefings - Brochures - Case Studies -
SIPS Methodology FAQ (pdf)
Keynote Speeches - Articles - News Feeds - Glossary (pdf)
Terms and Conditions - Privacy Policy