When Banco de Chile suffered a massive, malware-driven system failure earlier this year, the bank was caught off guard. Thousands of computers were rendered useless across its network of nearly 400 branches, while some 500 servers were shut down.
It took the state-owned bank nearly a week to regain control of its systems.
Banco de Chile later conceded that the virus attack was just a decoy. While the bank was scrambling to contain the malware and protect client accounts by disconnecting some 9,000 workstations, hackers were siphoning US$10 million from the bank itself through SWIFT, the international payment system.
The attack on Banco de Chile came just weeks after hackers targeted Banco de México's interbank payment system , SPEI, and in the process stole between 300 million and 400 million Mexican pesos. At least five financial institutions' connections to the payment system were compromised as a result of the attack.
The two breaches are a part of a broader rise in cyberattacks across Latin America, which industry experts say underscores how ill-prepared many financial institutions in the region are to combat a sophisticated global hacking network.
In its most recent cybersecurity report, technology company Cisco described Latin America as "particularly vulnerable to cyberattacks," asserting that many countries in the region "simply lack the capacity to respond to major cyber incidents." The report pointed specifically to substandard technology and staff training.
In the months since the attacks on Banco de Chile and Mexico's SPEI, numerous other cyberattacks in Latin America have surfaced. In Chile alone, some 18 banks reportedly have been targeted in recent months, while security hacks have led to the public leaking of private information from more than 60,000 debit and credit card users. A 2018 global economic crime survey from PwC showed that 53% of Latin American organizations had been victims of fraud, up sharply from 28% in 2016.
"[Hackers] are doing this because such an attack might not be possible — or as easy to carry out — in more cyber-conscious countries," said Carles Lopez-Penalver, a New York-based intelligence analyst at cybersecurity firm Flashpoint. State-controlled entities and companies in emerging markets, he noted, tend to have weaker cybersecurity protocols and lower levels of infrastructure protection, making them prime targets.
"A lot of these organizations are not prepared," he said.
In the wake of the Banco de Chile virus, legislators and regulators in the country began investigating how to improve security across the country's financial system. In doing so, they revealed a number of issues, ranging from substandard technology to a lack of communication and awareness.
During one Senate hearing in July, a computer systems expert testified that Chile's ATM network was especially vulnerable to malware attacks because much of it still runs on Windows XP, an operating system Microsoft introduced nearly two decades ago and has not supported since 2014. Such outdated systems, the expert warned, represents the weakest security link in Chile's banking sector.
The public testimony spurred several Chilean banks, including Banco del Estado de Chile, Banco Santander Chile and Banco de Chile, to expedite their ATM network migrations to newer operating systems.
Ryan Clancy, a cybersecurity consultant at Texas-based Delta Risk, meanwhile, highlighted the lack of adequate training evident in the Banco de Chile attack. "Ensuring staff are trained in not only what to look for in the event of a cyber intrusion, but what actions to perform when an intrusion is detected is critical," Clancy said in an email to S&P Global Market Intelligence.
Regulators in both Chile and Mexico have made strides since the attacks to strengthen their respective banking sectors' cybersecurity. In Mexico, the country's central bank established a new division to develop a strategy to protect its systems and information in the future, while regulators have revamped emergency protocols and introduced new cybersecurity regulations for the financial sector.
In Chile, the central bank created a cybersecurity chief position and released new measures designed to help banks respond to "critical operational events." Chile's government has said it plans to implement its own package of measures to help shield both public and private entities from online attacks, while congressional representatives are working to include rules to improve cybersecurity within a new general banking law, though the legislation is still sitting with Congress. The country has also signed an agreement with the U.S. to collaborate on cybersecurity issues.
Too little, too late?
While such measures likely will improve defenses, experts say the changes should have been in place long ago, pointing out that the latest string of cyberattacks, while sophisticated, are far from new.
"There is still a culture of reactivity when it comes to cyberrisk," Michael Rohrs, a Washington, D.C.-based cybersecurity expert at Control Risks, said. "Some banking systems have not been proactive enough to learn the lessons from attacks on other very similar systems."
Cybersecurity experts believe that the malware used in the Banco de Chile attack is a variant of ones used numerous times, including an unsuccessful heist on Mexico's state-run Banco Nacional de Comercio Exterior SNC Institución de Banca de Desarrollo in January, in which hackers tried to steal $110 million.
Attacks on the SWIFT platform, as was the case at Banco de Chile, have occurred repeatedly for years. In early 2015, hackers snatched around $9 million from Banco del Austro SA in Ecuador through the system. That breach was followed by a December 2015 attack at a commercial bank in Vietnam and a February 2016 attack at the central bank of Bangladesh, where $81 million was stolen.
"This has happened to enough banks, in enough places, that I think there can be, and there should be, much better sharing of information among them," Rohrs said.
As of Sept. 4, US$1 was equivalent to 19.37 Mexican pesos.