Cybercriminals infiltrated the Mexican financial system for several days at the end of April 2018 and stole nearly 400 million Mexican pesos (almost 20 million USD) from concentration accounts but not from private clients.
It was not known for certain what financial institutions had been affected but reports suggest that at least five banks had recorded large withdrawals of money through unauthorized transfers to bogus accounts, the Bank of Mexico told Bloomberg.
According to a report in El Financiero, Banorte was one of the institutions affected, suffering losses in the region of 150 million pesos. It was the only bank to publicly acknowledge that breaches had taken place, but also confirmed that none of its clients were affected.
Another report has stated that BanBajío was one of the other financial institutions affected by the cyberattack with estimated losses close to 160 million pesos, although the bank denied that it had fallen victim to a cyberattack.
At the end of April, the Bank of Mexico (Banxico) issued a statement saying that at least three local banks had reported incidents in the Interbank Electronic Payment System (SPEI) ─the Bank of Mexico's platform—although there was only talk of an attempted cyberattack. The bank took more than two weeks to admit that there had been a cyberattack and provide details about the potential losses suffered.
And while the source of the attack remains unknown, as well as where the stolen money was transferred to, the institutions and Mexican financial authorities continue their efforts to clarify the situation and determine the final amount.
The governor of Banxico, Alejandro Díaz de León, confirmed the cyberattack via a conference call, explaining that it was not the Interbank Electronic Payment System (SPEI) that was breached, but the applications and infrastructure that banks use to connect to this interbank system, Excélsior reported. Díaz de León also sought to reassure users by emphasizing that no clients or money deposited in the banks were affected by the incident.
Moreover, the Banxico governor confirmed that corrective actions were being taken to strengthen the system, but acknowledged that the bank does not have enough evidence to ensure that the cyberattack has ceased.
In a press release issued by the Bank of Mexico, the institution sought to ensure that "electronic transfers processed through the SPEI, as well as through the other payment systems that this Central Institute is responsible for, are a safe way of making payments." The Bank of Mexico will continue to exercise its powers to implement the necessary actions and fulfill its purpose to ensure the proper functioning of these payment systems.
The Bank of Mexico has also stated that they would be creating a new unit to design and provide guidelines on information security for all of the country’s banks moving forward as they try to make employees more cyberaware.