Editorial Board

How to Rob a Central Bank

Photographer: SeongJoon Cho/Bloomberg

As brazen heists go, it was a quiet one. Over a single weekend in February, hackers managed to extract tens of millions of dollars from Bangladesh's central bank before anyone noticed. Now the bank is in turmoil, its governor has resigned and much of the cash is missing. It's one of the biggest holdups in history -- and other central banks should be on notice.

The scheme started when intruders inserted malware into Bangladesh Bank's system in January. With information evidently gleaned from the attack, they were able to divert funds from the bank's account at the New York Fed using the SWIFT messaging system. Officials only wised up when the thieves tried to move an additional $850 million to suspect accounts, and a routing bank noticed a comical spelling error in one request. By then, some $81 million was long gone.

A few lessons from this strange tale suggest themselves.

First, central banks make fat targets. Many are under constant attack. Those in the developing world, with lots of new capital but not much digital security, are especially at risk. Bangladesh had amassed some $28 billion in foreign-currency reserves, and its central bank had alarmingly lax defenses. It was a hacker's dream.

Second, fessing up quickly is crucial. Officials at Bangladesh Bank kept quiet for more than a month, and never quite got around to informing the country's finance minister. Meanwhile, the pilfered cash made its way across the globe. Asian governments and industries, in particular, would benefit from better information-sharing about intrusions.

A more crucial lesson is that cybersecurity, though boring, is everyone's responsibility -- even the boss's. ("I am not a technical person," the now ex-governor of Bangladesh Bank said by way of explanation.) All too often, malicious hacks come down to simple human error. Making better use of encryption, access controls and strong verification systems can help, but nothing can substitute for training and vigilance.

Finally, preventing hackers from moving the money they've siphoned off requires global cooperation. The thieves in this case laundered much of the cash through casinos in the Philippines. Not coincidentally, Filipino lawmakers have exempted casinos from anti-money-laundering requirements. Tightening those restrictions would be wise. But there are still far too many places where lax laws, custom or generalized chaos provide a welcome home for dirty money. Changing those norms will only get more urgent.

All told, this puzzling episode should be a wake-up call. Next time, the miscreants won't be so flagrant, greedy or orthographically challenged. They'll have plenty of enticing targets to choose from. And they'll only have to get lucky once.

To contact the senior editor responsible for Bloomberg View’s editorials: David Shipley at davidshipley@bloomberg.net.