Information Security & Factors that Contribute to Data Leakage in the Ukrainian & UK Banking Sector

One of the most important regulatory banking documents on information security is the Regulation on bank secrecy and confidential information, which exists in every bank. This document entered into legal force by the banking sector’s order.

The regulatory document must contain the scope of information constituting the bank’s secret and confidential information; the procedure for its protection in banking institutions (which are responsible for necessary security measures); and responsibility for the disclosure of information. The information security policy may provide measures to staff regarding preservation of confidentiality concerning the storage of confidential information.

The banks information security policy usually includes:

  • Employees and other person’s right to obtain restricted information, the duties of the bank’s officers and employees in terms of handling restricted documents.
  • Rules of access to restricted information; the procedure for development, storage, transferal and movement of restricted documents within the bank.
  • The bank’s personnel obligations to store the restricted information.

The Banks security is primarily associated with the threat of armed robbery attacks. However, now the bank's security departments have an extensive banking system and special service of information security which deals with internal protection of the bank.

Leakage of information covers a wide range of different activities. These include the illegal transfer of information from computers and the loss of paper documents. This could happen by the secret copying of confidential data from disk to disk and removing a copy of the document ‘for himself’ that contains secret information. For financial institutions, the processes of information security are better regulated than in many other industries. There are existing laws and standards to ensure the necessary level of information security, however often its formal compliance addresses only part of the threat. There are two main factors, which are causing the leak of information within the banking sector: human and technical factors.

The rapid increase in the risk of information leakage caused by a series of corporate scandals in connection with the disclosure of confidential data showed that gaps in physical security are not the result of malicious activity. Often such threats are the employees themselves. This can happen when an employee sends an email with attached documents, which include confidential information. Sometimes an employee even could not know that information sent constitutes bank secrets. In other situations, the worker sends important data through public mail server or copies the information to the mobile device, thus, the data then falls into an unprotected environment.  Another category of workers also exist who intentionally,  for their own benefit, transfer confidential information to competitors or third parties.

In Ukraine, according to different research:

  • 75% of confidential information leaks occur by the company's employees.
  • 25% through the use of technique.
  • 25% of employees said that they are honest workers and they would never sell confidetial information.
  • 25% would be willing to sell information.
  • 50% would depending on the circumstances.

In Ukraine, the largest financial loss of money due to a leakage of customer information from the bank occurred in October 1998. The bank operator, who subsequently was a hacker, as a result of unauthorised access to the computer networks of the regional department of the National Bank of Ukraine stole 80.4 million hyenas, transferring them to the accounts of fictitious companies. It became possible because he had access to client information and their accounts from which he illegally transferred money.

Taking into account similar information from the United Kingdom:

  • 37% of bank workers disclose confidential information to friends and family.
  • 21% copied working information on their own computers.
  • 58% gave their computers, which contained business information, for third party use.

According to the Ponemon Institute data protection report, the average cost of information breaches for companies, including banks, in the UK costs 1.7 million pounds. It is possible to lose the entire business because of the drop of consumer confidence, which constitutes a significant part of the total damage every year. 70% of all information leaks, covered by the research, are caused by the negligence of the staff, which suggests that the managers have to better control the workers.

However, not only office bank workers (those who work directly with clients) pose a threat, but also the IT department employees who directly process personal client data, and typically have privileged access to such information. As well as IT employees, part-time workers are usually ready to go through frameworks of the law and transfer information regarding bank’s customers to third parties. This happens because they do not feel any attachment to the work and do not feel they are valued workers.

One more form of information leakage is due to insecure computer systems. Computer systems, without which banks cannot carry out any work, are a source of entirely new and previously unknown method of threats. Through a variety of different technical methods, employees can encrypt messages that they send, in order to circumvent the internal information security system. There are three main ways to do it. The first method is steganography which helps hide the fact that a person has transferred the message. The second method is using chaffing to make the message unclear, however this does not hide the  transmission of messages. The last method is using a ‘Mixmaster node’ which delays and shuffles the order of outbound data packets.

Another factor that contributes to information leakage is hacking. Now more people are using hacker attacks on bank servers to try to acquire confidential customer information: both personal and financial. For instance, one of the first significant hacker attacks connected with the English banking sector took place in 1995. In August 1995 in the UK, 24 year old Russian mathematician Vladimir Levin was arrested. He via his home PC in St. Petersburg gained access to a  banking system of one of the largest U.S. banks, Citibank and stole customer financial information. He illegally transacted 2.8 million dollars to his accounts over the world, including England. In 1994, Vladimir Levin and his accomplice picked up the keys to Citibank’s  banking protection system. Back in 2011 in Ukraine, extracts from the accounts of PrivatBank appeared in the Internet. Through typing in the search engine a certain combination of words in the SERPs were shown links to social service Eventr.com, where the financial data of customers were available to the public.

Despite the rapid development of computer systems and varieties of virus programs, banks are still not paying an attention to the importance of computer security. Not so long ago in 2010, a massive Trojan virus attack infected bank's computer systems and then their customers PCs. The virus had the opportunity to manipulate users online banking accounts without consent. As a consequence, banks and their customers lost $3 million through a banking Trojan.

In addition to all the above factors of client data leaks, it is also possible to indicate the factor of repeated allegations of illegally obtained money laundering. Such information suggests that bank customers are not simple citizens and their bank accounts are full of money. Exactly the opportunity to obtain money by selling personal information about these clients consequently seduces bank employees and hackers alike to commit offences. According to the research information in England, the HSBC and Barclays banks are the two most popular branches subject to attacks and leaks. These banks are often suspects in financial fraud cases and penalties have been  repeatedly been applied to them.