ORX News digests of the month: Q2 2019

Every month the ORX News team publishes a featured digest from the ORX News service. It's a detailed look at one of the operational risk losses reported in the media that month, and is handpicked by the team as one of the most interesting stories.

Read on for all the featured summaries from Q2 2019.

June: Chilean banks face outsourcing failures

Banco de Chile, Banco Falabella and Santander were among numerous Chilean banks forced to block and replace customer debit and credit cards in June after a fourth-party contractor, engaged by the banks’ ATM network provider Redbanc, stole information relating to approximately 42,000 cards. As of 11 June, 82 cases of fraud had been recorded totalling 23 million Chilean pesos ($33,000), for which banks will cover the costs.

Police discovered the theft as part of a wider investigation into a card cloning network. The former contractor had stolen the partial information of 41,593 cards used on Redbanc’s network and a point of sale (POS) system from a petrol station before attempting to guess the cards’ personal identification numbers (PINs). He did this using new cards that he had printed with the stolen information.

According to Chilean senator Felipe Harboe Bascuñán, the data breach occurred because Redbanc lacked adequate security measures regarding its suppliers.

A total of 13 financial and non-financial institutions blocked and replaced cards and contacted customers. Banco de Chile blocked 9,000 cards, Banco Falabella 6,000 and Santander 1,000. Scotiabank, Banco Crédito de Inversiones (BCI) and Banco Ripley were also affected, in what Chilean media described as the largest data breach involving debit and credit cards the country has experienced.

ORX News subscribers can read the full story on the ORX News website.

May: BoA suffers losses of USD 375,000 following cyberattack using GozNym malware

Bank of America lost $375,000 after a transnational cybercrime network used GozNym malware to capture customers’ online banking information by keystroke logging and fake online banking pages. The malware was transmitted through malicious links in phishing emails.

In one instance, the network sent a phishing email to a BoA employee inviting them to click a link to view an invoice. Clicking the link installed GozNym malware, subsequently allowing the criminals to access the employee’s bank account and transfer $76,178. On two other occasions, the network accessed the accounts of BoA business customers, transferring $98,900 and $199,777 respectively.

The network also targeted Brookline Bank, from which it fraudulently transferred $41,000, and Comerica Bank, from which it transferred $28,000. Additionally, it gained access to accounts held at Wells Fargo.

On 16 May, the US Department of Justice announced that the group had attempted to steal $100 million from victims around the world, including attempts to fraudulently transfer $3.2 million in 38 transactions from online bank accounts. The network was formed after its members had advertised their specialised technical skills and services on underground, Russian-language online criminal forums.

ORX News subscribers can read the full story on the ORX News website.

April: Zurich fined USD 5.1 million by DoJ over sale of products used for tax evasion

Two Zurich subsidiaries, based in Switzerland and the Isle of Man respectively, have agreed to pay $5.1 million to the United States over insurance policies and accounts used by US customers to evade tax.

US taxpayers used the policies and accounts issued by Zurich to conceal undeclared assets from the Internal Revenue Service (IRS) and subsequently evade taxes and reporting requirements. Some of these products were unit-linked insurance policies which allowed customers to access potentially higher returns by taking on market risk. The base death benefit for some of these policies was nearly equivalent to the cost of the policy and, in some cases, was fully funded by transfers from offshore bank accounts.

Zurich issued approximately 420 of the policies between January 2008 and June 2014, which had an aggregate value of $102 million. According to the DoJ, Zurich failed to ensure timely compliance by policyholders with US tax laws and knew, or should have known, that it was helping taxpayers to conceal assets

Zurich self-disclosed to the DoJ in July 2015 following a global review of its US offshore life insurance, savings and pension business. This review followed the introduction of the DoJ’s Swiss Bank Program in 2013.

In addition to the $5.1 million penalty, Zurich is required to implement controls to stop misconduct which involves undeclared US accounts in return for non-prosecution for tax-related criminal offenses.

ORX News subscribers can read the full story on the ORX News website.