The Development Bank of Seychelles (DBS) has suffered a ransomware attack that remains a mystery as to how it occurred, almost a full week after the fact. The bank notified the country’s regulator of the incident and is currently still assessing the extent of the impact.
DBS, a joint venture by the Seychelles government and several shareholders, said the cyber incident occurred Wednesday, September 9. The Central Bank of Seychelles, which regulates all financial institutions in the country, announced the incident in a press release issued two days later, on September 11.
“The Central Bank of Seychelles (CBS) has been informed of a ransomware attack on the network of the Development Bank of Seychelles (DBS),” the press release states. “The incident was communicated to CBS on Wednesday 9 September 2020. Since then, CBS has been engaging with DBS to establish the exact nature and circumstances of the incident and closely monitor the developments, including the possible impact on DBS’ operations.”
The CBS has instructed DBS to keep all affected parties in the loop as investigators sift through the data available.
“As a regulator of financial institutions, CBS is mindful of cybersecurity risks and the impact that cyber-attacks can have on the financial system, an issue that is continually monitored and discussed at the regulatory level by the Financial Stability Committee,” the announcement continues.
“In this light, engagement with DBS will also endeavour to identify areas of vulnerability that could have led to the ransomware attack. The CBS will be providing further details to the general public once the full extent of this reality has been clearly understood,” the CBS notes.
In other words, almost a full week after the incident occurred, the DBS and everyone involved in the investigation still don’t know how ransomware operators creeped in the infrastructure to deploy their data crippling malware.
The announcement also doesn’t disclose the ransomware strain used in the attack (whether investigators have identified it or not), nor does it say anything about the attackers’ demands. As of this writing, the official website of the Development Bank of Seychelles (www.dbs.sc) is down.
This event, like other ransomware attacks in the financial sector, points to the need of better auditing systems and procedures, automated patch management, human risk analytics, as well as forensic capabilities to aid investigative efforts. Not knowing how the breach occurred, what the extent of the damage is, who is responsible, and everything in between means it can happen again – and likely will.