Occasionally we report on cybersecurity and cyberhacking incidents involving banks and defense contractors. Because we represent whistleblowers and help them get cash awards, reporting these stories is a way to reach those with information. Although some of the stories we have reported have involved millions of dollars of lost funds, none has been as brazen or breathtaking as what you are about to read. According to Wired, last year hackers apparently took over an entire bank.
Wired claims that hackers seized control of all the servers of a Brazilian Bank last October for several hours. The crime was so well executed that bankers couldn’t even use their email system to warn customers. Wired has not named the bank but media and Wikipedia reports it is Banrisul Bank.
Banrisul is the largest bank in Southern Brazil. It has 473 branches in Brazil as well as branches in New York City and Grand Cayman. Banrisul’s nexus with the United States means that whistleblowers within the bank may be eligible for rewards for information about cybersecurity vulnerabilities and unreported hacking attempts. (The lack of a public acknowledgement of the hacking incident worries us because Banrisul has not publicly acknowledged the incidents, assuming that it was the bank that fell prey to the hacking scheme.)
History of Banrisul
Banrisul got its start in 1927 as a farm credit bank. In its earliest days, Banrisul helped financed Brazilian livestock ranchers called gauchos. By 1982, the bank went international with the opening of a branch in New York. Eight years later in 1990, the Brazilian government allowed the bank to become a full service commercial bank.
Today the bank has estimated assets of $25.9 billion and 11,506 employees.
Cyberhacking Incident Targets Banrisul
According to Wired, last fall hackers pulled off the perfect bank robbery. Instead of using weapons and violence, hackers simply rerouted “all of the bank’s online customers to perfectly reconstructed fakes of the bank’s properties, where the marks obediently handed over their account information.”
If the story is accurate, cyber thieves seized and control all the bank’s online operations for 5 to 6 hours. In essence, the criminals took over the bank.
Experts say the hackers targeted a security flaw in the DNS (Domain Name System) registration system. This is the same type attack used previously when hackers redirected traffic from the New York Times to a hacking site. Until now, however, a DNS attack had never been attempted on this scale or was able to take over an entire bank.
The hacking incident was so complete that bankers were unable to alert customers of the incident. They were forced to sit back and watch as the events unfolded. According to Wired, “They couldn’t even communicate with customers to send them an alert. If your DNS is under the control of cybercriminals, you’re basically screwed.”
The incident may not even be over. Although the attack took place six months ago, the hackers infected some of the bank’s customers who logged into the phony sites. The customers were infected with a particularly nasty version of malware, one which shuts off a customer’s antivirus protection.
Many banks do not manage their own DNS. That means their domain names are entrusted to a third-party service, one that may be vulnerable to hacking.
This means that even if a particular bank has the most robust cybersecurity protocols in the industry, it could still lose control of its operations if hackers infiltrate the service that operates its domain name.
Cybersecurity Whistleblowers Eligible for Cash Awards
The hacking incident at Banrisul is long over although some customers are still affected and the bank may be out millions of dollars. Because sensitive log in data may have been compromised so not all the losses are likely known yet.
The hacking incident described by Wired appears preventable. Hopefully Banrisul or whatever bank may have been hacked has learned from the incident.
When cybersecurity violations involve U.S. banks, whistleblower awards may be available to those with inside information about cyber vulnerabilities or unreported hacking incidents.
The U.S. Congress passed the Financial Institutions Reform, Recovery and Enforcement Act (FIRREA) in 1989. That law was originally used to prosecute bankers and outside parties who caused widespread failure within the U.S. savings and loan industry.
After the financial meltdown of 2008, the law was expanded to allow prosecutions of the banks themselves. If a bank takes an action that causes or could cause material weakness, there may be a possible FIRREA violation.
Mere negligence is not enough to trigger a FIRREA violation. Engaging in misconduct is, however.
The Office of the Comptroller of the Currency, FDIC and Federal Reserve have all enacted cybersecurity rules and protocols. Those rules are designed to protect our financial system and insure that depositors are protected.
If a bank violates these rules or fails to promptly report a hacking incident, rewards may be available.
The Financial Institutions Anti Fraud Enforcement Act (FIAFEA) amends FIRREA and allows whistleblowers with inside information about deliberate or reckless misconduct to claim an award. Currently awards are capped at $1.6 million. Maximum awards are common.
Call for Cybersecurity Whistleblowers
The Banrisul incident involves a Brazilian bank. US banks and foreign banks with a nexus to the United States may be eligible for awards. The same is also true for whistleblowers with inside information about cybersecurity vulnerabilities with defense contractors. In nonbanking cases, there is frequently no limit on awards.
Interested in learning whether you may be eligible for an award? Give us a call. All inquiries are protected by the attorney – client privilege and kept confidential.
For more information, contact attorney Brian Mahany at or by phone at (414) 704-6731 (direct). You need not be a U.S. resident or citizen to collect an award. You can also visit our cybersecurity / cyberhacking information page.
MahanyLaw – America’s Cybersecurity Whistleblower Lawyers
[Banrisul made good on the losses reported to date. It was large enough to overcome the losses. Some banks may not be so lucky. Even large banks could fail given the right cyberhacking incident.]