A little-noticed lawsuit details a hacking attack similar to one that stole $81 million from Bangladesh's central bank, saying cybercriminals stole about $9 million last year from a bank in Ecuador. The case suggests global bankers haven't been sharing critical information to prevent such heists.

The February cyberheist involving Bangladesh Bank has elevated concerns about the security of the global finance system in the face of persistent cyberattacks. Details of another bank being victimized more than a year earlier is likely to increase those concerns, especially since overseers of the international payment system said that they were unaware of the attack.

A third attack from December 2015 at a commercial bank in Vietnam was detailed last week by the Society for Worldwide Interbank Financial Telecommunication, or Swift. That bank detected the fraudulent requests and stopped the movement of funds, the central bank in Vietnam said.

In the January 2015 Ecuador hack, as with the February 2016 Bangladesh case, hackers managed to get the bank's codes for using Swift, the global bank messaging service, to procure funds from another bank, according to court papers.

A spokeswoman for Swift said Thursday that the network was never told of the earlier hack. "We were not aware," said Natasha de Teran, the spokeswoman. "We need to be informed by customers of such frauds if they relate to our products and services, so that we can inform and support the wider community. We have been in touch with the bank concerned to get more information, and are reminding customers of their obligations to share such information with us."

The Ecuadorean Bank, Banco del Austro, filed a lawsuit in New York federal court earlier this year, accusing Wells Fargo Bank of failing to notice "red flags" in a dozen January 2015 transactions, and to stop them before the thieves transferred about $12 million, most of it to banks in Hong Kong.

Lawyers for the two banks didn't immediately return phone calls asking to comment about the case and Swift's complaints that they had failed to notify the payment network.

According to the lawsuit, Banco del Austro was able to get back about $2.8 million of the stolen money and initiated legal proceedings in Hong Kong to try to recover more. The court papers don't explain what, if anything, happened to the funds after they were sent to Hong Kong. About $1.5 million was transferred to an account in Los Angeles, and $1 million was sent to a bank in Dubai, according to the lawsuit.

It is unclear whether there is a connection between the hacking heists carried out against the Ecuadorean bank and those in Bangladesh and Vietnam. There are similarities in method, including thieves accessing the bank's system to log on to the Swift bank messaging network, and doing so after banker's hours, apparently to reduce the likelihood that someone would ask questions about specific transactions.

Swift officials have this year been aggressively notifying customers about malicious software on the perimeter of their messaging network ever since learning about the attack in Bangladesh. But news that the company didn't know about the Ecuador case at the time of the attack underscores the challenge it faces keeping up with thousands of customer firms, all of whom have varying layers of security and different home regulators around the world—and suggests there is no effective global process for sharing information about threats and vulnerabilities.

"Unfortunately, this risk with SWIFT is nothing new, as technology has evolved, and hackers have gotten more sophisticated," lawyers for the Ecuadorean bank wrote in a March 31 court filing, citing news articles about the Bangladesh case.

According to that filing on behalf of Banco del Austro, or BDA, "For each of the unauthorized transfers, an unauthorized user, using the Internet, hacked into BDA's computer system after hours using malware that allowed remote access, logged onto the Swift network purporting to be BDA, and redirected transactions to new beneficiaries with new amounts."

Using that method, just before midnight on Jan. 14, 2015, a payment order made to a Miami company for less than $3,000 was altered to send $1.4 million to an account in Hong Kong, according to the court filing.

There were 12 suspect transfers carried out over a 10-day period in January 2015, according to the lawsuit.

BDA's lawsuit argues Wells Fargo should have noticed several anomalies in the transfers and, at a minimum, asked questions about them.

"The unauthorized transfers were made in unusual times of the day, in unusual amounts, to unusual beneficiaries in unusual geographic locations," the bank's lawyers argued in the filing. "Despite the numerous anomalies in the unauthorized transfers, (Wells Fargo) inexplicably failed to block them and/or alert BDA of the suspicious activity."

Wells Fargo's lawyers have urged a judge in a court filing to throw out the lawsuit, saying the Ecuadorean bank's claims are misplaced and, if adopted by the financial industry, would impose impossible expectations on banks to vet account transfers.

"BDA and Wells Fargo agreed that Swift authentication was a commercially reasonable security procedure for verifying Swift payment orders," the Wells Fargo lawyers said in their motion to dismiss the case.

If BDA's reasoning were to prevail, banks would have to "contact their customers multiple times whenever a payment order is received…and it would eviscerate the efficiencies that wire transfers and SWIFT payment orders were designed to promote."

It is unclear whether bank regulators or U.S. criminal investigators were ever notified of the Ecuadorean hack.

The Bangladesh hacking heist has led to tensions between the bank and Swift, which is based on the outskirts of Brussels. Bangladesh investigators have suggested Swift employees may have taken steps that left the bank's computers more vulnerable to an attack. Swift has warned banks to be more vigilant against hackers getting into their systems, and noted that the hackers didn't penetrate their core messaging network.

Write to Devlin Barrett at devlin.barrett@wsj.com and Katy Burne at katy.burne@wsj.com

(END) Dow Jones Newswires

May 19, 2016 18:35 ET (22:35 GMT)

Copyright (c) 2016 Dow Jones & Company, Inc.
Wells Fargo (NYSE:WFC)
Historical Stock Chart
From Mar 2024 to Apr 2024 Click Here for more Wells Fargo Charts.
Wells Fargo (NYSE:WFC)
Historical Stock Chart
From Apr 2023 to Apr 2024 Click Here for more Wells Fargo Charts.