x Abu Dhabi, UAE Friday 21 July 2017

RakBank comes under fire from customers over cyber attack

One of the biggest names in UAE consumer banking said it lost Dh17.4m as a result of one of the biggest cyber heists to hit Middle East.

Fraudsters  stole US$45 million from RAKBank and BankMuscat in one of the Middle East's biggest cyberheists.
Fraudsters stole US$45 million from RAKBank and BankMuscat in one of the Middle East's biggest cyberheists.

RAKBank has come under fire from customers who say they were kept in the dark over millions of dollars of losses from a cyber attack in the US.

The bank, one of the biggest names in UAE consumer banking, said this weekend it had lost Dh17.4 million as the result of one of the biggest ever cyberheists ever to hit the Middle East.

It was the first time the bank had publicly acknowledged the attack, which took place on December 22, and which was revealed by US authorities after they arrested seven people linked to the attack.

By contrast, BankMuscat, which lost $39m in a related incident in February, disclosed the news publicly within a few days.

One bank customer, who identified himself as Marjan, told The National that they planned to end their relationship with the bank after the incident. RAKBank "needs to give much more transparent answers", he said.

RAKBank declined to comment, but has spent much of this week responding to criticisms via Twitter, reiterating that no customer has suffered any loss of funds as a result of the attack.

Disclosing cyber attacks to the public more quickly in future will help the industry identify vulnerabilities and insulate itself against future attacks, industry analysts said.

Banks had many reasons to worry about their reputation when hit by cyber attacks, but also must weigh the costs of scaring bank customers, said Neil Fernandes, head of country risk management for the Middle East, North Africa, India and South Asia at Visa.

But declaring cyber-attacks publicly would help the industry better assess threats, said Johnny Karam, regional managing director of Symantec.

"Some countries have to declare a data breach if it happens, in the US and Europe, but this is not the case across the world," he said. "Things that have gone public, most of the time was because the companies couldn't hide it. There is a big gap between what we see as high profile and what is actually happening."

What in the past might have gone no higher in a company's hierarchy than a chief information officer was now being brought up at board level because of the potential ramifications across a company's operations, Mr Karam added.

"As a company, when you're attacked and breached, having to report it is one story, having to deal with it is another story. It affects the reputation, customer trust and stock price," he said.

"Declaring it will raise awareness and raising awareness definitely helps companies to take security more seriously."

Meanwhile, other card providers in the Emirates said they had reviewed their security procedures after the attacks on RAKBank.

UAE Exchange, the currency exchange house, said its services on gocash, a prepaid travel card, had not been affected by the cyber attacks and has reviewed its security procedures.

The gocash cards are processed by ElectraCard, an Indian card processing firm used by RAKBank that was broken into during the cyberattack.

ElectraCard alerted the incident during last week of December 2012, a spokesman from UAE Exchange said.

"Our technology team has immediately reviewed all our IT security procedures relevant for the gocash card transactions," the company said in a statement. "All is in place and fine."

The company said it would continue to work with ElectraCard.

business@thenational.ae