Home
+
Published : 24 Jun 2026, 01:27 AM
An Enduring Contagion
Critical security gaps: Study says SWIFT operations still lack vital cybersecurity safeguards, leaving the central bank vulnerable a decade post-heist
Monitoring system failures: The absence of anti-money laundering tools and disconnected XDR/NDR devices leaves transactions unverified, it adds
Flawed procurement logic: Prioritising cheap, low-bidder software over elite global tech has compromised crucial banking infrastructure, inspectors say
Unfinished recovery actions: Key upgrades, including automated backups and disaster recovery staffing, remain incomplete and delayed, study reveals
Few events have left a deeper scar on Bangladesh's financial system than the reserve heist of 2016, when hackers exploited the global SWIFT network to steal $101 million from Bangladesh Bank's foreign currency reserves held at the Federal Reserve Bank of New York.
Now, more than a decade later, a review by an interim government committee has raised fresh concerns about whether every lesson from that episode has truly been learned.
While Bangladesh Bank has strengthened several safeguards since the theft that stunned central bankers around the world, inspectors appointed by the interim government found lingering weaknesses in the central bank's SWIFT operations, including gaps in cybersecurity monitoring, risk management, disaster recovery and anti-money laundering controls.
The findings emerged as authorities moved closer to finalising charges in the long-running reserve theft case, bringing renewed attention to the systems that were exploited in one of the largest cyber-enabled bank robberies in history.
What the Inspectors Found
Following an inspection of Bangladesh Bank's SWIFT server room, committee members identified weaknesses in cybersecurity infrastructure, log analysis systems, risk management, disaster recovery capabilities, automated backup arrangements and security operations monitoring.
The review also highlighted the absence of firewall protection at the central bank's internet service provider level.
During a Jul 1, 2025 inspection, reviewers found web browsers operating with “default parameters” and the use of a virtual private network that was not widely recognised internationally.
One committee member, speaking to bdnews24.com, said the team did not find anti-money laundering software integrated into the SWIFT system.
Without such tools, officials could not effectively verify the identity of entities sending information through the network, nor determine whether submitted information was accurate, the member said.
Inspectors also found no effective transaction-profile validation mechanism.
"Under this kind of management, hacking could have happened at any time, before or after," the committee member said. "Bangladesh's SWIFT security system was not particularly robust."
Asked how much conditions had improved since the reserve theft, the member said: "We found some minor improvements, but they were not enough."
"After we identified different technical flaws, even the engineers working there came to realise that their security arrangements were not adequate."
On Feb 4, 2016, hackers used fraudulent SWIFT messages to steal approximately $101 million from Bangladesh Bank's account at the Federal Reserve Bank of New York.
Additional Weaknesses Identified
The inspection team also reported:
• XDR/NDR devices found disconnected
• Lack of adequate fire safety and environmental monitoring at the network rack located in a meeting room on the same floor as the server room
• Poor cable management inside the SWIFT server room
• Several protected cables without source and destination tags
• No anti-money laundering tools in operation
• No migration to newer-generation SWIFT software
The committee also recommended developing a pool of skilled personnel dedicated to SWIFT operations.
Improvements — but Unfinished
A subsequent Bangladesh Bank progress report acknowledged that while a number of security measures had been introduced after the reserve theft, significant work remained incomplete.
According to the report, SWIFT servers are no longer kept online continuously. Hardware Security Modules are now activated only during transaction settlement.
Passwords are changed regularly, while multi-factor authentication and one-time passwords are required for every login. The central bank has also replaced its previous VPN arrangement with an internationally recognised solution.
Improvements have also been made to environmental monitoring, temperature control and server-room infrastructure.
Yet several key initiatives remain under implementation, including:
• International-standard security tools
• Anti-money laundering systems
• Automated backup facilities
• Security operations centres
• Log retention systems
• Security architecture frameworks
• Staffing for alternative disaster recovery sites
Security Versus Procurement
One of the committee's most significant observations concerned procurement practices.
Investigators were told that some security software had been purchased from the lowest bidders through open tenders.
The committee argued that for a critical institution such as a central bank, internationally recognised and proven security solutions should take precedence over price considerations alone.
It recommended platforms from globally established providers including Microsoft and IBM.
Bangladesh Bank spokesperson Arief Hossain Khan said the central bank had accepted all recommendations and was implementing them gradually.
"Since the committee has made these suggestions, Bangladesh Bank is certainly following them. Not everything can be implemented immediately. We have accepted all of them and are implementing them one after another," he said.
He acknowledged that procurement rules must also be considered.
"If three companies submit bids and I choose the second- or third-lowest bidder instead of the lowest one, questions will arise. There is accountability in spending public money."
Cybersecurity, he argued, is not a destination but a process.
"The software considered most secure today may also become vulnerable to attacks in a few years' time."
