Highlights
– A series of Internet based attacks penetrated 18 or more computer systems
– Many employees of ousted contractor Satyam still working at the bank
– A new IT strategy is needed to fix the bank’s IT security breaches
Since the summer of 2007, the World Bank, a provider of financial and technical assistance to developing countries around the world, has been plagued by a series of cyber intrusions that one of the bank’s senior technology managers called an “unprecedented crisis.” According to internal memos and testimony from inside sources that were passed onto a major news media outlet, the bank has suffered a series of Internet attacks that penetrated at least 18 and perhaps as many as 40 of the bank’s data servers.
In April 2008, inside sources stated that bank forensic investigators had concluded that one or more employees of Satyam, the India based company contracted to write and maintain all the software used by the bank throughout its global information network, had been involved in installing sophisticated spyware on workstations inside the bank’s treasury unit at its headquarters in Washington DC. That same month, according to bank insiders, World Bank President Robert Zoellick ordered his top deputies to remove all Satyam employees working for the bank. Fearing a catastrophic collapse of the bank’s IT infrastructure, Zoellick’s deputies were able to convince him that the best course of action would be to keep these employees on the contract until a “knowledge transfer” of the inner workings of various information systems was completed with bank staff members. Therefore, hundreds of Satyam employees remained involved in the daily operations of the bank’s information systems until September 30, 2008.
In a follow-up report by a major news media outlet on November 2, 2008, hundreds of employees of Satyam were reportedly still working for the bank as bank staffers or employees of other contractors after switching companies. This report is contrary to the report of an anonymous World Bank spokesperson who stated that, “approximately a dozen former employees have been hired by the bank or other bank suppliers.” The initial contract with Satyam was for $10 million and was to be spread out over a five-year period. When the bank discovered the security breaches had been the work of Satyam employees, the contract was ended prematurely.
When news of cyber security breaches are released to the press, corporations move quickly to reassure their investors and customers that the damage was minor and steps have been taken to prevent a future reoccurrence. In the case of the World Bank, confidence in the bank’s information security systems is nearly identical with confidence in the bank itself. Information about each of the 185 member-nations economies is voluntarily provided to the bank by the countries themselves with the assumption that the information will remain confidential. Speculators, hedge fund operators, and governments are fully aware that access to the World Bank’s databases could be worth billions. With the knowledge of what’s contained in the bank’s databases, these entities could increase their leverage or even destabilize other national economies.
In the mid to long-term, we expect such breaches to have a potentially negative impact on nations viewed unfavorably by those nations that obtain and hold valuable information concerning their economies. Further, Satyam employees developed most of the machine code and information systems that powers the bank’s IT infrastructure, thus presenting another potentially costly problem for the bank to audit all the information systems for any lingering malicious code or “back doors” into the system.
Tip From The FBI Sparks Cyber Intrusion Investigation
In September 2007, the Federal Bureau of Investigation (FBI) was working on a separate cybercrime case when it discovered possible problems at the bank. The FBI had discovered some unusual activity taking place at the International Finance Corporation (IFC), a bank arm that lends to the private sector. A team of bank investigators sent to the Johannesburg hub of the IFC discovered that intruders had gained total access to all of IFC’s worldwide information including all incoming and outgoing e-mail for the past six months. Based upon Internet Protocol (IP) addresses obtained during the investigation, investigators speculated that hackers based in China were responsible for the intrusions and data theft at the site. The Johannesburg site is one of several secret hubs containing a “common data store” (CDS) that the World Bank Group has established around the world to provide a backup site in case of a data wipeout at its Washington DC headquarters.
Since the September 2007 security breach, bank investigators have uncovered two more security breaches of the bank’s IT infrastructure. The first was against the bank’s treasury network that was discovered in April 2008 when investigators found spy software covertly installed on workstations inside the bank’s Washington DC headquarters. The software known as a “key logger” collected every keystroke a user typed including passwords and account information and transmitted the information to a still unknown location via the Internet. Upon this discovery, bank officials shut off the data link between the Washington DC headquarters and the bank’s sole offshore computer center in Chennai, India where Satyam was operating all of the bank’s financial and human resources systems.
During the months of June and July 2008, bank investigators once again found more security breaches into servers located at the bank’s private sector development unit and at the MIGA, the bank’s insurance arm. By the end of July 2008, bank investigators had discovered that invaders had completed a total topographical map of the bank’s information systems including the location and types of servers and the types of files contained on them. It is still unclear if there are other compromised information systems still operating within the organization and what has become of the information stolen from the system that are known to have been breached.
Sweeping Changes Needed to Ensure Information Security
The latest security breaches underscore the need for a complete overhaul of the World Bank’s IT infrastructure if it hopes to regain the confidence of its 185 member-nations in its ability to protect members’ confidential information.
In addition to developing a more comprehensive IT security plan, the bank needs to take a more pro-active approach to developing software and policies that allow bank officials to detect when a security breach has taken place. If the FBI had not identified the September 2007 breach, one can only guess how long the theft of sensitive information would have continued.