DHAKA (Reuters) - A Bangladesh government-appointed panel investigating the cyber-heist of $81 million from its central bank in February found five officials at the bank were guilty of negligence and carelessness, the head of the panel told Reuters on Thursday.
In his first detailed comments on the inquiry since a report was submitted to the government in May, former central bank governor Mohammed Farashuddin said the officials were low to mid-level and were not directly involved in the crime.
“They were negligent, careless and indirect accomplices,” he said in an interview in his office. “The committee came to the conclusion that the heist was essentially committed by external elements.”
Bangladesh has so far refused to make the inquiry report public saying it wanted to deny perpetrators knowledge of the investigation into one of the world’s biggest cyber-heists.
It was not immediately known if Bangladesh had shared the report with the U.S. Federal Bureau of Investigation, the main agency investigating the crime.
Farashuddin did not name the officials he found were negligent. A senior central bank official, speaking on condition of anonymity, said no action had been taken against any employee since the inquiry report had not been made public.
Bangladesh Bank spokesman Subhankar Saha declined comment.
Although over 10 months have passed since the heist, there have been no arrests and no word on who carried out the complex heist.
Hackers used stolen credentials to try to transfer nearly $1 billion from Bangladesh Bank’s account at the Federal Reserve Bank of New York through the SWIFT transaction system. Many of the transfer orders were blocked or reversed but $81 million was sent to accounts in a branch of Rizal Commercial Banking Corp (RCBC) (RCB.PS) in the Philippines.
The money eventually went into the sprawling casino industry in the Philippines and most of it remains untraced.
Like Bangladesh police investigators, Farashuddin said the inquiry panel also found the hackers may have exploited loopholes in the bank’s online security when technicians hooked up the central bank’s local money transfer system with SWIFT’s international payments network late last year.
SWIFT has denied charges that its technicians were responsible for exposing Bangladesh Bank’s systems to hackers.
Reuters has reported earlier that Bangladesh Bank had not protected its computer system with a firewall, and used second-hand $10 electronic switches to network computers linked to SWIFT, weaknesses that the hackers may also have exploited.
Farashuddin said that RCBC was responsible for allowing the stolen funds to be withdrawn and disbursed into the casino industry. Bangladesh has said it wants RCBC to compensate it for its losses.
RCBC has said Bangladesh Bank was “negligent” in letting the initial security breach take place there, and hence the Manila-based bank need not pay any compensation. So far only about $15 million of the stolen funds have been recovered.
Farashuddin said his personal opinion was it would be better to make the inquiry report public, since it would make clear that some local officials were negligent but not responsible for the heist.
“If the government would publish, then Bangladesh Bank’s position would be strengthened,” he said.
Bangladesh’s law minister said earlier this week that his government would share the findings of the inquiry with Philippine authorities.
Writing by Krishna N. Das; Editing by Raju Gopalakrishnan