Saturday, 7 December 2013

StanChart says private bank client statements stolen

Files found on 'Messiah's' laptop; StanChart customers being informed
By Lee Su Shyan, The Straits Times, 6 Dec 2013

BANK statements for 647 of Standard Chartered Bank's wealthiest clients were stolen and found on an alleged hacker's laptop.

The bank told a hastily convened briefing last night that the February statements of these private banking clients were accessed via the server at a facility run by Fuji Xerox, which prints the documents for StanChart.

StanChart Singapore chief executive Ray Ferguson said that affected clients are being informed, but no unauthorised transactions had been found.



The dramatic revelations only came to light following the Nov 4 arrest of hacking suspect James Raj Arokiasamy, the man behind "The Messiah" pseudonym.

James Raj is in custody, accused of hacking into a town council website on Oct 28.


It is understood the bank statements, which would have detailed, highly confidential information such as the client's address and the amount of funds he held with the bank, were found on his laptop during investigations.

The police notified the Monetary Authority of Singapore (MAS) and StanChart, which began an internal inquiry that led to the bank filing a police report on Monday.

It is not clear how the documents were stolen from the server, nor how they landed on James Raj's laptop.

Mr Ferguson said yesterday that "the confidentiality and privacy of our clients are of paramount importance to us, and we take this incident very seriously".

The bank added that no wholesale banking, business or retail customers were affected.

No questions were taken at the brief session, which was held at StanChart's Marina Bay Financial Centre offices.

Fuji Xerox is also conducting a review, adding that this is the first time such an incident has occurred at its facilities here.

MAS said in a statement that it is working closely with StanChart on the incident, and will "consider if regulatory action against the bank is warranted". It said the theft is an isolated case, but urged all banks to be vigilant.

Banks here outsource a variety of functions to third-party sources, such as systems development and maintenance, or disaster recovery services.

MAS regulations say banks should monitor and review the security policies, procedures and controls of the service provider on a regular basis.

This theft comes amid a spate of hacking incidents here, and in a climate of heightened awareness of cyber threats.

In its statement, MAS said banks had been hit by various cyber threats. It added that it takes a serious view of such threats and has tough rules for financial institutions to protect the security of their data.

Asia-Pacific managing director of Cloud Security Alliance Aloysius Cheang said banks will set out standard operating procedures that they align against international best practices and with local central bank requirements.

He added that banks with processes that they may be outsourcing abroad, for example in India or somewhere else, could face higher risks of security breaches.






Data theft: MAS to review bank's report
Financial firms reminded to step up vigilance in safeguarding client info
By Yasmine Yahya, The Straits Times, 6 Dec 2013

STANDARD Chartered Bank could find itself in hot water with the regulator after yesterday's data theft revelations.

The Monetary Authority of Singapore (MAS) said it will examine the bank's own report into the incident and decide if action needs to be taken.

MAS has also reminded all financial institutions to step up their vigilance in safeguarding computer systems and customer information, including controls at third-party service providers.

Its statement came after StanChart revealed that the February statements of 647 private banking clients had been stolen through a server of Fuji Xerox, which does printing for the bank.

"The bank has confirmed to MAS that this incident has not compromised the bank's own IT systems or infrastructure," MAS said. "We will review StanChart's investigation report and consider if regulatory action against the bank is warranted."

MAS noted that financial institutions across the world have been facing an increasing number and variety of cyber threats.

"MAS takes a serious view of such threats and has stringent requirements in place for financial institutions to protect the security of their IT systems and confidentiality of their client data."

These include regular "vulnerability assessments" and penetration tests, which are carried out regardless of whether such client data is processed in-house or at third-party service providers.

"The recent theft at StanChart is an isolated case, but underscores the need for heightened vigilance in financial institutions, including close management of risks pertaining to service providers," it said.

It is a common practice for banks to engage third-party firms for a range of services, such as mailing, debt collection, embossing credit cards and hosting data centres. Some banks even hire external programmers or IT architects to build or manage IT programs and systems for them.

MAS demands they ensure that these service providers have the right systems and checks in place to protect customer data.

The more sensitive the service, the more stringent their assessments of these third-party firms should be. This could include hiring independent IT auditors to conduct regular assessments of these providers' IT systems.

Mr Aloysius Cheang, managing director of Cloud Security Alliance Asia Pacific, said that data leaks in such cases can generally be traced back to two issues: "The problem could be that the outsourcing partner is not compliant with the standard operating procedures that the bank has imposed on them, or worse still, the bank's own audit process of its service providers is not extensive and rigorous enough."

Mr Cheang, who has worked with various local and international banks on cyber-security issues, said it can be tough for banks to comply fully with MAS' stringent requirements.

"MAS is quite known internationally for having some of the strictest regulations with regard to cyber security in the finance industry," he said.

"Local banks tend to comply with these requirements wholesale as MAS is the main regulator that they answer to, but I have found that at some offshore banks, they tend to bring over the security practices they developed on their home turf, and sometimes these may not be up to the standards set by MAS."






S'pore banks have sound IT security standards: MAS

THE Monetary Authority of Singapore (MAS) thanks Mr Francis Cheng for his letter, offering lessons and suggestions arising from the recent theft of customer data belonging to Standard Chartered Bank ("Questions remain over bank's stolen data"; Monday).

Mr Cheng expressed concern about the reliability of banks conducting their own internal information technology checks, and suggested that the MAS convene an independent financial technology audit committee to conduct stress tests on banks' IT systems.

Banks in Singapore have in place sound IT security standards to maintain efficient delivery of their services and to safeguard customer information. These standards are governed by the banks' own internal IT security policies as well as the minimum expectations set out in MAS' Technology Risk Management Guidelines.

The guidelines require banks to conduct regular internal tests on their systems and networks. These include security vulnerability assessments and penetration tests to identify and rectify any security weaknesses.

To ensure that the assessments are objective and robust, banks are required to engage IT security professionals with the required expertise, who are not involved in the operation of the banks' systems.

These assessments and the required follow-up remedial actions are subject to reviews by both internal and external auditors.

The MAS also reviews these assessments to ensure that the scope of the review, expertise engaged in the testing and follow-up actions are appropriate.

Angelina Fernandez (Ms)
Director (Communications)
Monetary Authority of Singapore
ST Forum, 12 Dec 2013





Stolen data: StanChart replies

WE THANK Mr Francis Cheng for raising relevant and important questions ("Questions remain over bank's stolen data"; Monday) that I will try to address to my best ability.

First, we reiterate our sincere apology to all our customers, specifically our Private Bank clients affected by this incident.

Customer data protection is our responsibility and the confidentiality and privacy of our clients are of paramount importance to us. Upon establishing details of the theft, we immediately issued a media statement of apology because it was the right thing to do.

While we informed the media, the team's first priority was to contact our affected Private Bank clients to personally apologise to them and reassure them that their accounts remained intact, and provide additional options of safeguarding their data. To date, my team has managed to contact the majority of the affected clients and we are very grateful for their understanding and continued support.

Our other focus was to reassure all other customers that they were not affected and that we have not found any unauthorised transactions as a result of the statement theft, as we did not wish to cause any unnecessary alarm to them. Hence our call centres, branches and relationship managers are all equipped to reassure customers who made inquiries.

I agree with Mr Cheng that ideally, we would like to communicate details of the who, what, when, why and how of the statement theft, so that we can help to allay some of the public's fears. However, this is now a criminal case and we are not at liberty to divulge further details, which may compromise ongoing investigations by the Singapore police.

It is our responsibility to constantly improve our controls and processes, and safeguard the integrity of the industry. We adhere to strict guidelines that all financial institutions, including ourselves, have to follow in Singapore for all third-party relationships. In addition, we also subject these relationships to an external audit process.

Cybercrimes against both local and foreign organisations have been on the rise recently, and our task is to continue to work with the police to find out what exactly happened and what else we can do to strengthen the process.

Ray Ferguson
Chief Executive Officer,
Standard Chartered Bank, Singapore
ST Forum, 11 Dec 2013





Questions remain over bank's stolen data

MANY questions are left unanswered by the relevant parties in the report on the bank security breach ("Bank client statements stolen from server"; last Friday).

First, why were Fuji Xerox and Standard Chartered Bank unaware of the stolen statements and had to wait for the police to alert them?

What if the hacker had not been caught and his computer not seized? Would his actions not have been detected, and could more statements have been stolen?

Second, StanChart is the bank responsible and customers hold the bank liable, not their "sub-contractor" Fuji Xerox.

Therefore, the bank should issue an apology and assure customers that this will not happen again.

However, so far, this has not happened, with the bank merely saying that no unauthorised transactions had been found and no wholesale banking, business or retail customers had been affected.

Coupled with the fact that no questions were taken during the briefing on the incident, isn't this insufficient to assuage the customers' fears?

Third, the Monetary Authority of Singapore (MAS) said in a statement that this was an "isolated" case. But how can the stolen bank statements of 647 clients be considered an isolated case, even if it were the job of just one hacker?

Fourth, what sort of fail-safe procedures do StanChart and Fuji Xerox have in place?

Surely it is unsafe to allow companies to do their own tests because these would be purely internal tests.

The MAS should quickly form an independent financial technology audit committee to conduct compulsory stress tests on banks' information technology systems at random.

In any security breach, customers have the right to know the facts, how the banks manage their crises and the steps taken to restore customers' confidence.

Francis Cheng
ST Forum, 9 Dec 2013





Top private banks 'keep data internal'
Most do not outsource printing of statements
By Yasmine Yahya, The Straits Times, 7 Dec 2013

THE practice at Standard Chartered Bank of using a third-party firm to print the monthly statements of its wealthy clients is not followed by three leading private banks here. UBS, Credit Suisse and Bank of Singapore all said they do not outsource the printing of such documents.

"All data remains within UBS infrastructure at all times. At no point in the production process is data transferred externally to a third-party vendor," UBS said.

Bank of Singapore said it does not outsource printing of any materials containing customer information, while Credit Suisse said client statements are printed in-house using its own infrastructure and on its own premises.

Their comments come after dramatic revelations by StanChart on Thursday that the February bank statements of 647 of its private banking clients had been stolen from a server at Fuji Xerox, which was hired to print the material. Police found the statements on the laptop of James Raj Arokiasamy, the alleged hacker behind "The Messiah" pseudonym charged with accessing a town council website. It is not clear how the documents were stolen from the server or how they landed on James Raj's laptop.

Fuji Xerox told The Straits Times that police removed a server and desktop on Thursday from an offsite printing facility used to serve StanChart Private Bank.

The bank statements would likely have contained detailed, highly confidential information such as the clients' home addresses and amount of funds held with the bank. In the wrong hands, such data could be used for a range of criminal activity, said Mr Bryan Tan, a partner of law firm Pinsent Masons MPillay. "For example, it could be used for identity theft - someone could use that data to apply for loans in your name."

The Association of Banks in Singapore said the incident is a stark reminder for all financial institutions to ensure their IT infrastructure and systems are "robust and hardened" - a sentiment echoed by various banks.

However, while UBS and Bank of Singapore keep printing and other back-room functions in-house, few banks have the capacity to print the thousands of client statements that have to be mailed out monthly, or the millions of fliers and other marketing material that they produce annually.

Most outsource this job to printing firms. In fact, banks outsource a wide range of jobs, from credit-card embossing to certain accounting functions, to third-party service providers, said Frost & Sullivan analyst Cathy Huang. "But many banks have built their own private data centres, which they use to operate and store their core functions in-house, so they will typically only outsource less sensitive, secondary functions to third parties," she said.

OCBC Bank's head of group operations Denis Malone said: "Outsourcing of our operations is done very selectively, with the bulk of them performed internally."

Others, such as Barclays, Citi, DBS, HSBC, Maybank and United Overseas Bank, said outsourcing arrangements are strictly managed. This involves regular reviews of the bank's own outsourcing policies, and investing in systems and processes to deter criminal acts. It also means requiring the vendors to carry out vulnerability assessments to protect their own IT infrastructure, and conducting periodic checks on them to review security controls.

Ultimately, said UBS, it means having a system that ensures security throughout the life cycle of the data a bank handles - from creation and classification to handling and processing, dispatch, storage, and finally, the data's destruction.








Private banking clients voice security concerns
By Mok Fei Fei, The Straits Times, 6 Dec 2013

PRIVATE banking clients say trust and the protection of their confidential information is of utmost importance to them.

They are the wealthiest among a bank's clients and get highly personalised service with their banking and investment decisions.

At Standard Chartered, a customer needs at least US$2 million (S$2.5 million) in investable assets to qualify for the special attention lavished on private banking clients.

That means its 647 private banking clients who had their data stolen had at least US$1.29 billion of assets between them.

Businessman G.S. Sareen, who has several private banking accounts, though not with StanChart, was shocked at news that data had been stolen.

He told The Straits Times that private banking is all about having trust with the bank.

"Confidence in knowing the private bank can look after my assets and needs is crucial. Any disruption to that would have a detrimental effect on the relationship."

Mr Sareen said he would switch lenders right away if any breach in security is discovered.

Businessman Ong Hian Eng said he has been approached by StanChart to be a private banking client, but has not signed up.

He said he expects a bank to be above board in all it does, and to ensure confidential information is not leaked.

"I have heard of such hacking incidents elsewhere, it is quite disconcerting, but things with my bank so far have been quite good."

These clients expect higher standards of their bankers as they entrust large sums to them.

Other private banks have their own minimum levels of entry to the exclusive private banking club.

For example, OCBC's private bank, the Bank of Singapore, requires clients to invest a minimum of US$1 million. Credit Suisse Singapore has the same threshold as StanChart - at least US$2 million.

In Asia Pacific, private banking clients tend to be wealthy entrepreneurs and self-made millionaires.

In return for the privilege of managing their money, these banks offer a range of incentives to their top clients.

Some perks include complimentary stays at luxurious hotels around the world, chauffeured limousine airport services and personal concierge services, according to the websites of several private banks here.

Some private bankers even go as far as helping their clients assess which schools their children should attend, or which interior designers they should pick to refurbish their homes.

Such additional perks are needed to grab a bigger slice of the growing pie, given the increasing number of millionaires here and the stiff competition in the private banking market.

A Credit Suisse Global Wealth Report released in October found that there were 174,000 millionaires here in the middle of this year, a rise of 11.5 per cent from last year.

It found the number of millionaires in Singapore had risen sharply after the robust recovery of financial markets in the past year.

The biggest player regionally is Swiss bank UBS, which reclaimed its title as the largest private bank in the Asia Pacific from rival Citi Private Bank.

UBS had US$215 billion of assets under management in Asia Pacific last year, said a survey by trade journal Private Banker International.

StanChart comes in at No. 12, with US$35 billion of assets under management in Asia Pacific last year, unchanged from 2011.

This puts it at a lower rung than the private banking units of local banks DBS Bank and OCBC.

DBS, in the ninth spot, managed US$46 billion of assets last year, while Bank of Singapore came in 10th, having managed US$43 billion.





Latest cyber crime linked to 'Messiah'
By Lim Yan Liang, The Straits Times, 6 Dec 2013

THE theft of data belonging to Standard Chartered Bank's clients is the latest cyber crime to be linked to James Raj Arokiasamy, the alleged hacker behind "The Messiah" pseudonym.

A police spokesman said yesterday that files containing data on the British bank's clients were found in a laptop seized from James Raj after he was arrested.

The 35-year-old was nabbed about a month ago by Malaysian police at his rented flat in Kuala Lumpur. He jumped bail in 2011 after he was arrested for drug offences that year, and was on the run until his arrest on Nov 4.

James Raj has since been charged in Singapore with four drug offences.

He also faces one charge under the Computer Misuse and Cybersecurity Act for allegedly hacking into the Ang Mo Kio Town Council website on Oct 28.

The Attorney-General's Chambers also indicated to the court repeatedly that he is believed to be involved in other recent cyber intrusions here. These include creating and posting a video threatening a wave of cyber attacks to protest against licensing rules for news websites here, while hiding behind "The Messiah" moniker.

The police are looking into the video, which threatened to "go to war with" the Government.

A district court on Tuesday denied him bail and ordered for him to be remanded in police custody for further investigations.

He is set to return to court on Jan 7 for a pre-trial conference.






* MAS takes action against StanChart over client data theft
By Yasmine Yahya, The Straits Times, 12 Apr 2014

THE Monetary Authority of Singapore (MAS) has rapped Standard Chartered Bank over the theft of client data last year.

The MAS said in a statement yesterday that it has taken "appropriate supervisory actions" against the bank, which said in December that the February statements of 647 private banking clients had been stolen through a server of Fuji Xerox. Fuji Xerox had been printing private bank statements for StanChart.

The MAS did not say what action it had taken against StanChart, adding that it generally does not disclose such details.

The bank said in a statement yesterday that it was "very sorry" for the data theft. "We will continue to work closely with the MAS to identify any gaps there may be in the third-party outsourcing process and further tighten the guidelines."

Police had found the statements on the laptop of James Raj Arokiasamy, the alleged hacker behind "The Messiah" pseudonym charged last year with accessing a town council website.

It is not clear how the documents were stolen from the Fuji Xerox server or how they landed on James Raj's laptop.

The bank stopped using Fuji Xerox after the incident and switched to a different printing services provider.

An MAS spokesman said yesterday: "MAS takes a serious view on the safeguarding of customer information, and has reminded all financial institutions to ensure that robust controls are in place, including for operations that have been outsourced to third-party service providers."

Based on past announcements, the MAS has not often had to take such actions.

Last June, it took a range of supervisory actions against 20 banks whose staff were found to have been involved in trying to rig key benchmark rates.

The regulator has said pre- viously that the actions it may take include reprimands, supervisory actions, regulatory sanctions and/or financial penalties, if a bank fails to meet MAS regulatory or supervisory requirements.

MAS guidelines require banks to conduct regular internal tests on their systems. These include security vulnerability assessments and penetration tests to identify any security weaknesses. To ensure that the assessments are objective and robust, banks must engage IT security professionals with the required expertise, who are not involved in the operation of the banks' systems.


No comments:

Post a Comment