The World Bank is the world's largest anti-poverty multilateral organization, representing over 185 member nations. World Bank president Robert Zoellick has been pushing hard for the organization -- which hands out $25B USD yearly in poverty relief -- to be pillar of strength amidst the global economic crisis, and a beacon of hope for the future. Those efforts have been dealt a major blow as it has been revealed that the World Bank has lost a large amount of confidential information in what can only be called a mammoth security breach.
According to FOX News, sources with the World Bank confirmed that the World Bank's treasury department has been under cyber assault, with the networks "deeply penetrated" by spy software last April. In June and July the attackers gained full access for a whole month. In total, there have been six separate intrusions in the last year, at least two of which originated from Chinese IP addresses. The most recent attack occurred just last month.
Officials at the bank have tried frantically to keep news of the leak out of the public eye. The bank's senior technology manager sent an email to his colleagues calling the breach an "unprecedented crisis". According to sources the nature of the leak or attackers intentions are still unclear.
However, what is clear is that attackers have gained almost complete access to the World Bank and its most confidential data. According to the internal email "a minimum of 18 servers have been compromised". This includes the bank's security and password server and its Human Resources Server, "that contains scanned images of staff documents".
And that may be just the tip of the iceberg. Sources at World Bank say that as many as 40 servers in total may have been compromised. One of the compromised servers held contract-procurement data, which included sensitive national information.
The bank is trying hard to claim that no data was stolen. A bank spokesman stated, "There were attempts to hack the bank's computer systems last summer. However, there was no compromise of confidential information."
The bank's officials have declined to comment on the attacks.
Meanwhile, sources say the bank has contracted Price Waterhouse Coopers to perform an assessment on the extent of the damages. They have also contracted MANDIANT, a security firm, to flesh-out the details of the breach. Both firms have allegedly submitted lengthy reports to the World Bank.
A senior staff says that the FBI has been investigating the breach, saying "We're not talking about hackers playing games or messing up our website. It's about the FBI coming last summer and saying, 'You should take a look at your systems because we think something weird is going on.' It's about the intruders knowing what information they wanted — and getting to it whenever they wanted to. They took our existing data stores and organized them in a way that they could be easily accessed at will."
The employee continued, "They had access to everything. They had the keys to every room at the bank. And we can't say whether they still do or don't until we fully and openly address what's happening here."
The situation is rather dire as the bank holds a massive amount of confidential world financial data. Both governments and companies store massive amounts of financial information with the bank, all of which may have been compromised. Stocks, bonds, and currency prices are all deeply affected by the World Bank's announcements and decisions. One employee illustrates, "If you know beforehand that the bank is going to put an order in for oil pipelines in Chad or healthcare systems in India, you can actually make a good amount of money."
The breach has allegedly been traced back to at least two employees of Satyam Computer Services, one of India's largest IT companies. These employees allegedly covertly installed spy software on the computers at the bank's Washington headquarters. Indeed, the World Bank is dropping Satyam Computer Services, but is forced to allow them to temporarily remain to transfer data to two other Indian contractors.
Alarmingly, the attackers seemed to know the banks internal systems structure, better than IT administrators themselves. By the end of July they "had completely mapped out the topography of the bank's information systems -- where everything was, the types of servers, and the types of files on the servers."
This contrasts with a World Bank employee who describes that despite spending $280M USD a year for IT support, "We don't even have an internal search engine that works."
Despite publishing apparent copies of internal memos with its report, FOX News was blasted by World Bank's spokesman. While failing to deny the validity of the memos, the spokesman stated, "The Fox News story is wrong and is riddled with falsehoods and errors. The story cites misinformation from unattributed sources and leaked emails that are taken out of context. Like other public and private institutions, the World Bank has repeatedly experienced hacking attacks on its computer systems and is constantly updating its security to defeat these. But at no point has a hacking attack accessed sensitive information in the World Bank's Treasury, procurement, anti-corruption or human resources departments."
FOX News is standing by its report.