How a Cyber Heist Ended the Career of Bangladesh’s Respected Central Bank Governor · Global Voices
Rezwan

Atiur Rahman, governor of the Central Bank of Bangladesh. Image from Flickr by IMF. CC BY-NC-ND
His origin story has achieved almost myth-like status in Bangladesh. Born to a poor, landless farmer. Quit schooling early to help his family make ends meet. Defied the odds by obtaining a PhD in the UK.
Perhaps that's what makes Atiur Rahman's resignation from his position as the 10th governor of the Bangladesh Bank, the country's central bank, so anti-climatic. Atiur Rahman, a notable Bangladeshi economist, writer and banker, stepped down on March 15 over his failure to inform the finance minister that hackers had made off with $81 million from an account within the US Federal Reserve Bank. He was due to retire in four and half months.
The hackers were able to make transfers worth that much into the accounts of four men in the Philippines. They apparently took advantage of the fact that Friday was the weekend in Bangladesh and Saturday and Sunday were the weekend in the US.
Another unauthorized transfer request for $20 million to a Sri Lankan non-profit organisation got held up by an intermediary bank because the hackers misspelled the name.
In the meantime, the US Federal Reserve Bank had alerted the Bangladesh central bank about a series of suspicious requests to transfer money and around $850 million in transfers were prevented.
Here's How Hackers Stole $80 Million from Bangladesh Bank https://t.co/ehI9zmcCOw #malware #hacking pic.twitter.com/wnhiyM2qz8
— The Hacker News (@TheHackersNews) March 14, 2016
Bangladesh Bank kept the news of the theft quiet for more than one month, not informing the finance ministry. Instead, it hired Silicon Valley-based international forensic unit FireEye to investigate.
Bangladeshi blogger and computer security expert Ragib Hasan explained on Facebook two possibilities related to the heist. One is the use of malware, which could be installed by a small device like pen drive and later the information was hacked via keystroke recorder. And the other possibility is “an inside job” because you cannot tempt a machine, but can crack a human being:
তাই যেকোনো সিস্টেম হ্যাক করার সবচেয়ে সহজ এবং বহুল প্রচলিত পদ্ধতি হচ্ছে কারিগরি দিকে হাত না দিয়ে সিস্টেমের ব্যবহারকারীদের বোকা বানানো।
[…] the easiest way to hack a system is fooling the users of the system, instead of cracking the system.
Bangladesh Bank is investigating eight officials who deal with foreign exchange transactions. It was revealed that the CCTV of the room was out of order and some of the officials found a SWIFT code enabled computer (the transfer requests were sent from a SWIFT code enabled computer) not working when they arrived at work the following day after the hack, but they didn’t inform their supervisors immediately.
Once news broke of the heist, Bangladesh's finance minister vowed to take action against Bangladesh Bank for not being informed earlier. The finance minister also blamed the US Federal Reserve Bank for not alerting Bangladesh Bank in time.
On social media, some pointed fingers at Atiur. Ragib Hasan wrote:
বিশ্বের ইতিহাসে এতো বড় অংকের ব্যাংক ডাকাতি আগে হয়নি বলেই মনে হয়। আত্মসম্মানবোধ ও বিবেক থাকলে এই পদে আর বাংলাদেশ ব্যাংকের গভর্নর সাহেবের থাকা উচিৎ না।
It seems such a huge heist from the central bank is a world first. If the governor of Bangladesh Bank has some conscience and sense of responsibility, he should resign.
Following the tremendous pressure created by the finance minister's remarks, Rahman resigned on March 15. Despite this blight, his tenure was hailed in some international news outlets who credited his policies with helping Bangladesh become one of the world's fastest growing emerging markets.
In an emotional farewell speech, he talked about how he worked to increase Bangladesh's foreign currency reserve to $28 billion from $6-7 billion when he took the job six years ago. He said he was working to bring back the stolen money.
Blogger Rana Meher reacted on Facebook to his departure, saying it was unfortunately the right thing to do:
আতিয়ার রহমানের পদত্যাগে আমি কষ্ট পেয়েছি। কিন্তু বাংলাদেশ ব্যাংকের প্রধান হিসেবে এই দায় তার ওপর আসে। আর তার সাথে যুক্ত হয়েছে তার উপযুক্ত মহলে সময়মতো যোগাযোগে ব্যর্থতা।
I am hurt that Atiur Rahman resigned. But as the head of Bangladesh Bank he needs to take the responsibility. And added to that was his failure to communicate to the concerned authorities.
Shabhanaz Rashid defended Rahman:
What a fantastic man to lose over a national financial shortcoming, that is in no way one man's responsibility. It's a systemic fault, one that cannot be fixed if the the one honest and radical public servant has to resign over it — instead of receiving bureaucratic support to fight it and strengthen our security. Who'll do the dirty work now, or will it be hastily swept under the rug with a resignation?
Renowned TV anchor Abdun Noor Tushar questioned how his resignation would solve anything:
ড. আতিউর রহমান পদত্যাগ করেছেন, সেটি তার সাহসী ও সৎ পদক্ষেপ।
কিন্তু চোর ধরার ব্যবস্থা কি হলো?
কি করে সার্ভার হ্যাক হলো?
সাইবার নিরাপত্তার বিষয়টি কারা দেখছিলো?
অপরাধী ধরার কাজটি কে করছে?
চোরধরার চেয়ে আতিউর স্যারের নামে গীবত করাই যেন সকলের কাজে পরিনত হয়েছে।
Dr. Atiur has resigned, that's his bold and honest move.
But what happened to nabbing the thieves?
How was the server hacked?
Who was looking after the cybersecurity?
Who is investigating the case?
It seems everyone is happy with only racking up allegations against Dr. Atiur.
According to Rahman, the Bangladesh Bank has already recovered some of the transferred money, and is working with anti-money laundering authorities in the Philippines to try to recover the rest.
If any good can come of this, it's to remind financial institutions around the world to take security seriously, Indian blogger Professor Jayant R Varma wrote. They need to improve their internal systems to combat patient hackers:
Cyber security is still thought to be the responsibility of some computer professionals. The reality is that security has to be designed into all systems and processes in the entire organization. Institutions like central banks that control vast amounts of money need to defend in depth at all levels of the organization. Physical security, hardware security, software security and robust internal systems and processes all contribute to a culture of security in the whole organization.