14 DAY TRIAL // FOX News reports that the network of the World Bank Group suffered several security breaches in the past year and a half, but a World Bank spokesman dismissed the story. According to a leaked memo, a serious security breach occurred in July and resulted in at least 18 servers being compromised.
The World Bank Group (WBG) is a major global organization supported by 185 countries that has the purpose of offering technical and financial assistance to developing and under-developed countries. It's composed of the International Bank for Reconstruction and Development (IBRD), which deals with credit worthy countries and the International Development Association (IDA), which deals with very poor countries. It's estimated that the WBG distributes around $25 billion every year in order to reduce poverty and improve infrastructure and education around the world.
The compromise in July was discovered on July 8th due to an alert sent by a Lotus Notes server. Upon further analysis, a minimum of 18 servers were discovered to be compromised, out of which five contained sensitive data. The five servers containing sensitive information included a Secure ID server, a file server, a domain controller and a database server.
“We have determined that 5 of the compromised servers contain sensitive data and care must be taken to determine the amount of information that may have been transmitted outside of the World Bank Group,” noted in a leaked internal memo Jack Conde, Senior Enterprise Risk Management Officer at World Bank. The same memo reveals that the source of the breach consisted of unauthorized access to a Senior System's Administrator account belonging to a person who was on leave when the incident occurred. The original point of entry for the attackers was identified as being a web server.
Since the incident, the WBG has taken steps to improve security on its network. Jack Conde's memo informs that “a major effort is underway to implement a firewall rule that will bar all outbound traffic from the server networks to the Internet with exceptions made for servers with a legitimate reason to make such connections”. A later memo sent in August by Guy-Pierre De Poerck, CIO of the Information Solutions Group at WBG, outlines other security measures like the use of authentication tokens in addition to passwords and a requirement for all employees to attend the information security awareness course.
This memo also notifies the employees that no personal information was compromised in the July incident - “As previously reported in mid-July, we would like to reassure you that there is no evidence that Bank staff personal information is at risk from the recent external attempts”. This is also backed up by an official statement issued by a WBG in response to the FOX News report. “The Fox News story is wrong and is riddled with falsehoods and errors. The story cites misinformation from unattributed sources and leaked emails that are taken out of context,” claims a WBG spokesman.
“Like other public and private institutions, the World Bank has repeatedly experienced hacking attacks on its computer systems and is constantly updating its security to defeat these. But at no point has a hacking attack accessed sensitive information in the World Bank's Treasury, procurement, anti-corruption or human resources departments," the spokesman added.