“Hackers held the systems of Transnational Bank hostage, then asked the management to pay ransom“
Kenyanbusinessfeed.com can authoritatively report that hackers had taken hostage the IT systems at Transnational Bank Limited.
For days, clients could not transact using ATM, Mobile and internet banking.
According to documents seen by Kenyanbusinesfeed.com, hackers demanded an unspecified amount of ransom or in the event they did not receive it, post some sensitive data about the bank to an online school of hackers.
“Dumps from assets below to be dumped in the next 5 hours after failure to make payment’. They included, “myQ, AD, Exhange, ERP Echannel, CheckPoint, MB Echannel, Production DB, MIS DB, Reports Delonix, AML Application, AML Database, ChequePro, UAT DB, Trustwave, Intranet Host, Reports, Simba HR DB, Simba HR App, Itax Live, Omni APP, IB, OMNI RTGS, Echannel-Itax, Itax UAT, OMNI APP UAT, OMNI APP”, the hacker wrote on the above 2Terabyte (TB) of data.
They did publish the above, complete with the IP addresses which are very sensitive to publish here.
Published information also included the logged-on screenshots of a bank worker named Dennis Kiprotich. The other screenshots show the pop message showing Kericho Branch server is non-responsive.
“[email protected]: Server Kericho Branch Down at 16:04:49”, the pop up message beamed showing six workers logged in page. Again, we leave out some critical IT IP addressing to protect the bank.
A word document shows that the aforementioned Dennis Kiprotich is an ICT support staff who is being promoted to ‘permanent and pensionable’ staff with a recommendation from his line manager Peter Gitonga as ‘a dependable team player’ who is ‘an asset’.
One of the four images is attached below to show that KBF is not engaging in rumours.
System audit
An audit report prepared by the firm Ernst & Young LLP on the information and communication technology controls of Transnational Bank, paints a grim picture of the ICT system at the bank.
One of the revelations that caught the eyes of this KenyanBusinessFeed.Com editor was under ‘the inadequate password and security settings’. The report stated, ‘the passwords did not meet the minimum complexity requirements’. They also allowed ‘Concurrent multiple logins’, on the ‘Chapaa Popote, Chequepoint Truncation System, Paynet and Simba HR Cube systems’.
The second pointer to weak systems in the audit report was ‘inappropriate access to IT administrator role in Chequepoint and Simba HR Cube System’. The audit signed by EY Risk Advisory Leader for Eastern Africa Mr Robert J. Nyamu, stated that ‘business users had access to administrative IT rights and could create new users’. It also said, ‘review of inward cheque processing on the application, we observed as the user used the ‘Admin’ account to approve the cheque files after upload and adoption by the clearing clerk.
This ‘increase the risk of overriding controls within the application’, which could, lead to ‘unauthorized activities conducted on the payroll’.
The third weakness was ‘Lack of role monitoring of users and user activity in systems, which posed a ‘risk that application access violations and inappropriate transactions may not be identified in a timely manner”
The fourth weakness is ‘System issue with reset accounts on Chequepoint Truncation System. This posed the “risk of user intentionally or unintentionally interfering with financial information by gaining access to more than one user account on the application”.
The last risk was about the Server Room, where the auditors noted the weak access control of the server room.
“During the review of the server room, the following weaknesses were noted: The floor on the server room is raised using wooden material which is combustible. Other combustible materials noted include; the material used for the ceiling and a wooden plank lying on the floor. Combustible material was also observed in the area just outside the server room which is used as a storage area. There was no automatic fire suppression system in the server room. Environmental factors to be controlled in the server room e.g. temperature levels, dust levels, humidity levels, other gases etc. are not monitored. Temperature level is monitored manually by physically going to the server room. There is no warning sign prohibiting drinking, eating and smoking in the data center”.
Though Ersnt & Young LLP did the recommendations to improve on the above, it is highly unlikely that the bank has implemented them.
This, we note from the date of the report, which is given as 31st December, 2019. The bank’s acquisition by Herbert Wigwe led Nigerian lender Access Bank, was completed at the end of January and we have noted no activity towards renovations etc.
Going by the above stated weaknesses, Transnational Bank was open for hacking.
How many banks in Kenya suffer the same negligence?
It is prudent that the bank comes out clear and tell its clients what happened.
Kenyan Business Feed is the top Kenyan Business Blog. We share news from Kenya and across the region. To contact us with any alert, please email us to [email protected]