New whistleblower tells ECB that BOI is hiding a key hack vulnerability
Current bank IT employee makes complaint to European regulator
BANK OF IRELAND has been accused of hiding a significant exposure to a hacking vulnerability from auditors, in a protected disclosure made to the European Central Bank (ECB).
According to the whistleblower’s report, the vulnerability involves the existence of as many as 100,000 so-called ‘orphan accounts’ within the bank’s IT systems.
Orphan or dormant accounts are considered key weaknesses on IT platforms that are targeted by hackers.
Details of the whistleblower’s anonymous claims to the ECB come after BoI attempts to recover from the temporary collapse of its online systems last month, when ATMs distributed money that wasn’t in customer accounts.
The revelations also come a week after the MoS reported claims by Colin Larkin – a consultant who developed vital mobile banking software for BoI – that he deliberately left a secret vulnerability in his technology to prevent it being stolen. As a result, Mr Larkin claims the banks mobile banking systems are exposed to ‘devastating attacks’ from hackers.
The latest revelations about the existence of up to 100,000 ‘orphan accounts’ were made by a separate whistleblower who works with the bank’s identity team in Dublin.
A spokesperson for BoI last night said there were ‘significant inaccuracies’ in the disclosure, which was submitted through the ECB’s whistleblowing portal.
Before going to the ECB, the whistleblower had raised their concerns internally.
According to the ECB disclosure, BoI has allegedly been ‘hiding’ the ‘true number of orphaned user accounts where the user or owner is unknown’.
The whistleblower claims this alleged deception has been ongoing since 2019.
According to the disclosure, the reason for this alleged deception is that BoI managers wanted to reduce the number of orphan accounts reported during an audit, ‘despite there being over 100,000 of them in reality’.
The whistleblower claims the bank asked ‘companies bought on board to help us to solve these problems to back off while we alter figures and make it look as if we are within the rules when we know we are not’.
The whistleblower also expressed concern that BoI has delayed ‘software upgrades to the identity system for so long that it is out of support’.
The disclosure states: ‘The bank has now delayed the upgrade to the unsupported software of the… platform that controls access to systems and data yet again, even though it has been made clear to us that this is a big security risk and a breach of banking regulations.’
The whistleblower also informed the ECB that their team’s efforts to reduce the number of orphan accounts were often frustrated.
In the disclosure, the whistleblower describes how management requests for account access to be revoked were ‘often intercepted and cancelled by a team of people doing the work manually because the system that should do it automatically has never been implemented properly’.
The disclosure adds: ‘We are still breaching regulations, still running an out-of-date version of the software, still faking the number of orphan accounts with access to bank systems and still running access reviews where nothing really happens and the results can’t be tracked.’
The whistleblower also claims BoI has instructed staff and contractors to ‘not use certain words like audit, compliance, breach and regulator in emails’ so they will not cause problems if picked up by any discovery searches during audits or regulatory action.
Further allegations in the disclosure relate to developers ‘making changes to live systems’ and the continued existence of a tool used to clone accounts, which the whistleblower claims was created against the advice of auditors.
A spokesperson for the ECB this weekend confirmed it was in receipt of the disclosure – ‘All such reports are examined and assessed thoroughly by our teams, taking into account the specific nature of the allegations and the need to ensure appropriate protection to the informant.’
The spokesperson said the ECB could not comment on any specifics or communicate the outcome of a report to the informant.
But they added there are various EU rules and directives governing how banks should deal with IT risks. These stipulate financial institutions and payment service providers must have robust governance arrangements to identify, manage, monitor and report security risks. If BoI is found to have been in breach of these, it could face enforcement action – as it has in the past.
Asked what actions it had taken to address the concerns highlighted by the whistleblower, and if the bank was cooperating with any actions the ECB has taken, a BoI spokesperson said: ‘These claims contain significant inaccuracies. The bank has robust IT security systems, processes and governance in place.’
In response to queries from the MoS, a spokesperson for the Central Bank said: ‘The Central Bank of Ireland operates a robust protected disclosures scheme, and protects the confidentiality of any person who wishes to make a disclosure. We do not comment on our engagement with those making disclosures, or on our engagement with supervised firms.
‘In general, however, we expect firms to have adequate systems and controls in place to ensure operational resilience, and where issues that impact customers arise they should be addressed and rectified urgently.’
‘Make it look like we are within the rules’