Why are Bangladeshi banks so susceptible to cybersecurity breaches?
The recent breaches are a wake-up call for Bangladesh’s financial institutions. As the nation embraces digitalisation, the risks of cybercrime keep growing exponentially
In recent years, Bangladesh has been grappling with a rising tide of cybersecurity breaches, with the financial sector becoming an increasingly frequent target.
The latest victim, City Bank PLC, had sensitive client financial data stolen and sold on underground hacking forums, according to a 5 January blog post by the Bangladesh Cyber Security Intelligence (BCSI).
This alarming breach is only the latest in a series of attacks that have targeted major institutions, including Eastern Bank Limited (EBL) and state-owned telecommunications provider Teletalk.
The implications of these incidents are severe, exposing systemic vulnerabilities and raising questions about the readiness of Bangladesh's digital infrastructure to counter advanced cyber threats.
Keep updated, follow The Business Standard's Google news channel
For consumers, the theft of financial data can lead to devastating personal losses, from emptied bank accounts to stolen identities.
For businesses, the repercussions include loss of customer trust, reputational damage, and potential regulatory penalties.
Experts argue that at the national level, repeated breaches undermine confidence in Bangladesh's financial systems, potentially deterring foreign investment and slowing economic growth.
A pattern of persistent vulnerabilities
The breach at City Bank PLC was uncovered after a threat actor advertised the bank's client financial statements for sale on underground forums. Cybersecurity analysts from CS-CERT identified weaknesses in session management protocols and authentication systems as the primary entry points for hackers. These lapses allowed attackers to bypass security barriers, gaining unauthorized access to sensitive data.
Although City Bank has assured the public that no unauthorised transactions occurred, the exposure of financial statements places clients at risk of identity theft, phishing schemes, and fraudulent transactions. It also undermines customer trust — a critical asset for any financial institution.
Unfortunately, this is not an isolated incident but part of a broader trend of recurring breaches across Bangladesh's financial landscape.
This breach follows other high-profile attacks in Bangladesh. In 2019, three local private banks fell victim to coordinated cyber-attacks, with hackers siphoning $3 million through ATM withdrawals in Cyprus, Ukraine, and elsewhere. Earlier, the infamous 2016 Bangladesh Bank cyber heist resulted in the loss of $81 million, one of the most audacious financial cyber crimes in history.
These incidents point to systemic vulnerabilities that remain unaddressed despite years of warnings and escalating threats.
Beyond financial institutions, other sectors have also been targeted.
Teletalk, a state-owned telecom company, was similarly compromised, with customer data leaked online. Together, these incidents expose a troubling lack of preparedness across industries and a failure to keep pace with the sophistication of modern cyber threats.
Why do breaches keep happening?
Several factors contribute to the recurring cybersecurity breaches in Bangladesh.
Inadequate regulations, for instance, play a key role. While Bangladesh has made strides in digital transformation, the regulatory framework has not kept pace. There is no dedicated financial data protection law, and enforcement of existing cybersecurity standards is inconsistent.
Cyber security expert Dr B M Mainul Hossain, professor at the Institute of Information Technology (IIT), University of Dhaka, believes the issue lies with the fact that our nation does not have a data protection act.
"To make sure that financial institutions are spending money and allocating funds for customer data protection, an audit should also be conducted. There should be a body that checks to see if the financial institution is adhering to the international standards and guidelines that are in place to protect client data," he said.
"To make sure that financial institutions are spending money and allocating funds for customer data protection, an audit should also be conducted. There should be a body that checks to see if the financial institution is adhering to the international standards and guidelines that are in place to protect client data."
Furthermore, many institutions rely on legacy systems that were never designed to withstand the advanced cyber threats of today. Without regular updates, these systems become prime targets for attackers who exploit unpatched vulnerabilities.
"Data breach is a continuous process. As technology advances, so will hacking techniques. Data breaches can be both internal and external. If systems are not updated, hackers can breach them," said Arif Mainuddin, a cyber security expert from Decodes Lab Limited.
Banks also often lack robust authentication measures, such as multi-factor authentication, leaving them vulnerable. Poor session management practices further exacerbate the problem.
"Until and unless there is a hacking incident, organisations do not want to invest in IT security; even if they do, it is simply not enough. Senior officials often are not receptive to upgrading security protocols," said Mainuddin.
Moreover, employees are often the weakest link in cybersecurity. A lack of proper training and awareness can lead to unintentional mishandling of sensitive information or employees falling victim to phishing scams.
"It is true that we lack sufficient personnel with knowledge and experience in the field of digital security," explained Dr Mainul.
Experts agree that employees being involved with hackers and helping them exploit security weaknesses is also common.
Additionally, many attacks are perpetrated by organised cybercrime groups or state-sponsored actors, such as North Korea's Lazarus Group, which was implicated in the Bangladesh Bank heist. These groups operate with sophisticated tools and tactics, often overwhelming the defenses of smaller, less-equipped institutions.
"Whenever there is a breach, that data is sold on the dark web. It is almost untraceable who is selling the data on the dark web," said Mainuddin.
What can be done?
Addressing these challenges requires a multi-pronged approach that involves technological upgrades, regulatory reforms, and capacity building.
Financial institutions must replace legacy systems with modern, secure architecture. Investments in cloud-based solutions, blockchain technology, and artificial intelligence can help detect and mitigate threats more effectively.
"Organisations, both private and public, shouldn't be reluctant to set aside funds for security-related expenses, and they should consider security issues from the inception of solution development," said Dr Hossain.
Regular cybersecurity training for employees is critical. Institutions should simulate phishing attacks and provide hands-on sessions to teach staff how to recognise and respond to threats.
"Organisations should also keep their users up to date to make them aware. They can send reminders for things like regularly changing their passwords," said Arif Mainuddin.
"Users should also be reminded to never share their OTPs [One Time Passwords] with strangers. We are seeing instances where people are sharing their OTPs and getting hacked," he added.
The government must also enact comprehensive data protection laws and enforce stricter compliance standards. A regulatory body dedicated to monitoring cybersecurity in the financial sector could play a crucial role.
"A few breaches have occurred recently. Yet no meaningful steps have been taken to improve security. These incidents keep happening," said Dr Hossain.
Experts believe this sector needs government oversight. The government should not only formulate a data protection act but also follow up on both public and private entities to ensure they are taking necessary measures to protect user data from both inside and outside threats.
Additionally, multi-factor authentication, end-to-end encryption, and zero-trust frameworks should become standard practice. Institutions should invest in threat intelligence platforms that provide real-time insights into emerging risks.
"Organisations need to conduct Vulnerability Assessment and Penetration Testing [VAPT] to find out the weaknesses in their system and take preventive measures. They also need to monitor the dark web and other such platforms to find out if there have been any breaches," urged Mainuddin.
Bangladesh can join global initiatives to combat cybercrime. Sharing information and resources with international cybersecurity organisations can improve defences and facilitate a coordinated response to cross-border threats.
The way forward
The recent breaches are a wake-up call for Bangladesh's financial institutions. As the nation embraces digitalisation, the risks of cybercrime keep growing exponentially.
However, these risks are not insurmountable. With the right mix of investment, regulation, and education, Bangladesh can build a resilient cybersecurity framework capable of protecting its financial ecosystem.
The stakes are high. In a world where data is the new currency, the cost of inaction is simply too great to bear. Financial institutions, regulators, and policymakers must act decisively to secure Bangladesh's digital future.
In recent years, Bangladesh has been grappling with a rising tide of cybersecurity breaches, with the financial sector becoming an increasingly frequent target.
The latest victim, City Bank PLC, had sensitive client financial data stolen and sold on underground hacking forums, according to a 5 January blog post by the Bangladesh Cyber Security Intelligence (BCSI).
This alarming breach is only the latest in a series of attacks that have targeted major institutions, including Eastern Bank Limited (EBL) and state-owned telecommunications provider Teletalk.
The implications of these incidents are severe, exposing systemic vulnerabilities and raising questions about the readiness of Bangladesh's digital infrastructure to counter advanced cyber threats.
For consumers, the theft of financial data can lead to devastating personal losses, from emptied bank accounts to stolen identities.
For businesses, the repercussions include loss of customer trust, reputational damage, and potential regulatory penalties.
Experts argue that at the national level, repeated breaches undermine confidence in Bangladesh's financial systems, potentially deterring foreign investment and slowing economic growth.
A pattern of persistent vulnerabilities
The breach at City Bank PLC was uncovered after a threat actor advertised the bank's client financial statements for sale on underground forums. Cybersecurity analysts from CS-CERT identified weaknesses in session management protocols and authentication systems as the primary entry points for hackers. These lapses allowed attackers to bypass security barriers, gaining unauthorized access to sensitive data.
Although City Bank has assured the public that no unauthorised transactions occurred, the exposure of financial statements places clients at risk of identity theft, phishing schemes, and fraudulent transactions. It also undermines customer trust — a critical asset for any financial institution.
Unfortunately, this is not an isolated incident but part of a broader trend of recurring breaches across Bangladesh's financial landscape.
This breach follows other high-profile attacks in Bangladesh. In 2019, three local private banks fell victim to coordinated cyber-attacks, with hackers siphoning $3 million through ATM withdrawals in Cyprus, Ukraine, and elsewhere. Earlier, the infamous 2016 Bangladesh Bank cyber heist resulted in the loss of $81 million, one of the most audacious financial cyber crimes in history.
These incidents point to systemic vulnerabilities that remain unaddressed despite years of warnings and escalating threats.
Beyond financial institutions, other sectors have also been targeted.
Teletalk, a state-owned telecom company, was similarly compromised, with customer data leaked online. Together, these incidents expose a troubling lack of preparedness across industries and a failure to keep pace with the sophistication of modern cyber threats.
Why do breaches keep happening?
Several factors contribute to the recurring cybersecurity breaches in Bangladesh.
Inadequate regulations, for instance, play a key role. While Bangladesh has made strides in digital transformation, the regulatory framework has not kept pace. There is no dedicated financial data protection law, and enforcement of existing cybersecurity standards is inconsistent.
Cyber security expert Dr B M Mainul Hossain, professor at the Institute of Information Technology (IIT), University of Dhaka, believes the issue lies with the fact that our nation does not have a data protection act.
"To make sure that financial institutions are spending money and allocating funds for customer data protection, an audit should also be conducted. There should be a body that checks to see if the financial institution is adhering to the international standards and guidelines that are in place to protect client data," he said.
Furthermore, many institutions rely on legacy systems that were never designed to withstand the advanced cyber threats of today. Without regular updates, these systems become prime targets for attackers who exploit unpatched vulnerabilities.
"Data breach is a continuous process. As technology advances, so will hacking techniques. Data breaches can be both internal and external. If systems are not updated, hackers can breach them," said Arif Mainuddin, a cyber security expert from Decodes Lab Limited.
Banks also often lack robust authentication measures, such as multi-factor authentication, leaving them vulnerable. Poor session management practices further exacerbate the problem.
"Until and unless there is a hacking incident, organisations do not want to invest in IT security; even if they do, it is simply not enough. Senior officials often are not receptive to upgrading security protocols," said Mainuddin.
Moreover, employees are often the weakest link in cybersecurity. A lack of proper training and awareness can lead to unintentional mishandling of sensitive information or employees falling victim to phishing scams.
"It is true that we lack sufficient personnel with knowledge and experience in the field of digital security," explained Dr Mainul.
Experts agree that employees being involved with hackers and helping them exploit security weaknesses is also common.
Additionally, many attacks are perpetrated by organised cybercrime groups or state-sponsored actors, such as North Korea's Lazarus Group, which was implicated in the Bangladesh Bank heist. These groups operate with sophisticated tools and tactics, often overwhelming the defenses of smaller, less-equipped institutions.
"Whenever there is a breach, that data is sold on the dark web. It is almost untraceable who is selling the data on the dark web," said Mainuddin.
What can be done?
Addressing these challenges requires a multi-pronged approach that involves technological upgrades, regulatory reforms, and capacity building.
Financial institutions must replace legacy systems with modern, secure architecture. Investments in cloud-based solutions, blockchain technology, and artificial intelligence can help detect and mitigate threats more effectively.
"Organisations, both private and public, shouldn't be reluctant to set aside funds for security-related expenses, and they should consider security issues from the inception of solution development," said Dr Hossain.
Regular cybersecurity training for employees is critical. Institutions should simulate phishing attacks and provide hands-on sessions to teach staff how to recognise and respond to threats.
"Organisations should also keep their users up to date to make them aware. They can send reminders for things like regularly changing their passwords," said Arif Mainuddin.
"Users should also be reminded to never share their OTPs [One Time Passwords] with strangers. We are seeing instances where people are sharing their OTPs and getting hacked," he added.
The government must also enact comprehensive data protection laws and enforce stricter compliance standards. A regulatory body dedicated to monitoring cybersecurity in the financial sector could play a crucial role.
"A few breaches have occurred recently. Yet no meaningful steps have been taken to improve security. These incidents keep happening," said Dr Hossain.
Experts believe this sector needs government oversight. The government should not only formulate a data protection act but also follow up on both public and private entities to ensure they are taking necessary measures to protect user data from both inside and outside threats.
Additionally, multi-factor authentication, end-to-end encryption, and zero-trust frameworks should become standard practice. Institutions should invest in threat intelligence platforms that provide real-time insights into emerging risks.
"Organisations need to conduct Vulnerability Assessment and Penetration Testing [VAPT] to find out the weaknesses in their system and take preventive measures. They also need to monitor the dark web and other such platforms to find out if there have been any breaches," urged Mainuddin.
Bangladesh can join global initiatives to combat cybercrime. Sharing information and resources with international cybersecurity organisations can improve defences and facilitate a coordinated response to cross-border threats.
The way forward
The recent breaches are a wake-up call for Bangladesh's financial institutions. As the nation embraces digitalisation, the risks of cybercrime keep growing exponentially.
However, these risks are not insurmountable. With the right mix of investment, regulation, and education, Bangladesh can build a resilient cybersecurity framework capable of protecting its financial ecosystem.
The stakes are high. In a world where data is the new currency, the cost of inaction is simply too great to bear. Financial institutions, regulators, and policymakers must act decisively to secure Bangladesh's digital future.
