Insider Bank Attacks: A Hidden Threat to Financial Institutions
Banks are often thought of as fortresses of security, where advanced technology, regulatory oversight, and strong internal controls prevent fraud and theft. However, some of the most devastating financial crimes have not come from the outside, but from within. These cases highlight the scale of damage insiders can cause, the systemic weaknesses they exploit, and the lessons financial institutions must learn to strengthen their defences.
The Punjab National Bank Scam (2018)
The Punjab National Bank (PNB) scam in India remains one of the largest insider fraud cases in banking history. In 2018, it was discovered that two mid-level employees at PNB’s Mumbai branch colluded with diamond merchants Nirav Modi and Mehul Choksi to issue unauthorized Letters of Undertaking (LoUs) through the SWIFT messaging system. These LoUs, which served as guarantees, allowed the merchants to secure large overseas loans without proper collateral or approval from the bank’s credit department.
What made this fraud possible was the deliberate circumvention of internal checks. The employees bypassed the bank’s core banking system, ensuring that the fraudulent LoUs never appeared in official records. As a result, the scam went undetected for several years, during which the merchants accumulated credit amounting to over $1.8 billion. When the fraud eventually came to light, it sent shockwaves through the Indian banking sector, raising questions about oversight, internal auditing, and the overreliance on trust within large institutions.
Jérôme Kerviel and Société Générale (2008)
In 2008, French bank Société Générale reported losses of nearly €4.9 billion due to the unauthorized activities of a single trader, Jérôme Kerviel. Kerviel had once worked in the bank’s middle office, where he gained intimate knowledge of the institution’s risk management and compliance mechanisms. Using this knowledge, he entered fictitious trades designed to offset his real positions, thus concealing the enormous risks he was taking.
Although Kerviel’s actions were not motivated by personal enrichment in the traditional sense, he did not siphon money into personal accounts, his deliberate manipulation of systems and violation of trading limits constituted a profound insider attack. The losses Société Générale suffered remain among the largest ever caused by rogue trading.
The Bangladesh Bank Heist (2016)
The Bangladesh Bank heist is often described as a cyberattack, but insider involvement, or at least insider negligence, appears to have played a role. In February 2016, hackers attempted to steal nearly $1 billion from Bangladesh Bank’s account at the Federal Reserve Bank of New York. By sending fraudulent SWIFT transfer requests, the attackers managed to successfully divert $81 million to accounts in the Philippines, where it was laundered through casinos.
Investigations into the attack revealed that the perpetrators had unusually detailed knowledge of the bank’s SWIFT infrastructure and operational routines. This raised suspicions that insiders either assisted the attackers directly or failed to follow security protocols that would have stopped the fraud. While much of the focus has been on the international cybercrime syndicate behind the heist, the case also illustrates how insider vulnerabilities, whether through collusion or carelessness, can magnify external threats.
Morgan Stanley
In 2015, Morgan Stanley, one of the largest financial service companies in the world, was forced to pay a $1M penalty for failing to protect their customers’ records. This was after the company lost $730,000 in customer records to hackers. It was reported in a post published on Pastebin, where six million account records of Morgan Stanley clients were being offered. In the following weeks, a new post was shared on a website pointing to the Speedcoin platform. It featured a teaser of real records from 900 different accounts and provided a link for people interested in purchasing more. This activity was traced to Galen Marsh, an individual who was employed in the private wealth management division of Morgan Stanley.
It was reported that Marsh conducted a total of approximately 6,000 unauthorized searches in the computer systems, and thereby obtained confidential client information, including names, addresses, telephone numbers, account numbers, fixed-income investment information, and account values, totaling approximately $730,000, from client accounts for about three years. Marsh uploaded the confidential client information to a personal server at his home. Ironically enough, the investigators confirmed that Marsh’s home-server was hacked, the very same server that was used by Marsh to exfiltrate customer data from Morgan Stanley.
Insider Data Theft at Wachovia (2000s)
Not all insider bank attacks involve billions of dollars or high-profile traders. Some are more subtle but equally damaging to trust in financial institutions. In the early 2000s, Wachovia Bank, which later merged into Wells Fargo, faced scandals when employees were caught stealing and selling sensitive customer information to organized crime rings. The stolen data included account numbers, Social Security information, and personal details that enabled widespread identity theft.
The financial losses from this data theft were significant, but the greater damage lay in reputational harm. Customers whose identities were stolen often faced years of difficulties repairing their credit, and Wachovia faced regulatory scrutiny over its lax internal security. This case demonstrates that insider attacks can occur at any level of a bank, from traders handling billions to frontline employees handling customer accounts. In both cases, the outcome is the same: erosion of trust and financial harm.
Employees Most Likely to be Insider Threats
Those who steal data on purpose, on the other hand, can have different motives, from taking vengeance on their employers to simply gaining financial profit. The individuals most likely to steal data are:
- Departing employees. When someone retires or gets fired, they may take the company’s valuable data with them despite all the NDAs they’ve signed.
- Disgruntled employees. If a team member is mad at their employer for some reason, they may try to harm the company to get revenge.
- Employees conducting industrial espionage. Whether it’s to make money selling your secrets or to get a better job at a competing company, these quiet spies will do their best to take what they want.
Lessons Learned
- Trust without verification is dangerous. In each case, institutions placed too much faith in their employees and too little emphasis on independent auditing and monitoring.
- Insider knowledge is a double-edged sword. While employees need access to perform their duties, that access can be weaponized when oversight is weak.
- Technology alone is not enough. Automated systems like SWIFT or risk monitoring tools can be manipulated by those who know how they function. Finally, culture matters. A banking culture that prioritizes profits or speed over compliance can create an environment where insider attacks flourish.
How to Protect an Organization from Insider Threats
While well trained users can be your security front line, you still need technology as your last line of defense. User Activity Monitoring allows you to monitor users to verify that their actions meet good security practices. If a malicious outsider gains access to their log-in information, or if an insider chooses to take advantage of their system access, you will have a record of the suspicious activity.
If your business is like most others, you don’t have the budget to stand up your own security operations center. But that doesn’t remove the need for around-the-clock monitoring and intelligence that will help you investigate incidents and minimize attacks.
In the spirit of preserving your data, session recording software offers a way to protect your organization. Visit www.tsfactory.com to learn more about how we can help you prevent data insider threats and theft.