This post is about an on-going IT whodunit.
Late afternoon last Tuesday, South Korea’s National Agricultural Cooperative Federation, aka Nonghyup or NH Bank, experienced a system-wide crash that halted all of its banking transactions at 1710 local time. According to various Korean news reports, customers were unable to make ATM deposits or withdrawals, nor conduct any on-line or phone banking, or make use of in-bank deposit or withdrawal services. Some 30 million account holders of the bank—which owns the largest banking network in South Korea—were affected by the massive outage.
Partial services—including the use of ATMs along with Internet and phone banking—were reportedly “restored” by Wednesday afternoon. NH bank said that while it wasn’t exactly sure of what the problem was, it wasn’t caused by outside hacking as in the case of Hyundai Capital. The bank did pinpoint the problem to “an IBM transmission server at a computing center in southern Seoul,” this article last Thursday morning in Joongang Daily stated.
By Thursday afternoon, however, NH Bank still hadn’t been able to restore credit card and check card services, according to this story by the Yonhap News Agency. The article also reported that the Seoul Central District Prosecutors Office and the Financial Supervisory Service were sending their own investigators to try out and find out what happened.
But in Thursday’s Korea Times, NH Bank was already laying the blame for the outage on IBM Korea, which runs NH Bank operations via an outsourcing contract. The Korea Times article states that:
“The laptop of the IBM worker at issue ordered the deletion of execution files of our key systems, which involved more than one hundred IBM servers. This generated the service failure.”
“However, the employee seems to flatly deny any wrongdoing. We need to wait until ongoing investigations are completed to know exactly what or who caused all the trouble.”
Then on Friday, word was coming out that, in fact, not only were there still on-going problems with NH Bank credit card and check card services, but also its ATMs and on-line banking. While all the services were said to be “available,” they were highly unreliable.
On Saturday, this Yonhap News Agency article stated that reliability problems with NH Bank services were continuing into the weekend. It also said that:
“The Seoul Supreme Prosecutors’ Office said about 20 National Agricultural Cooperative Federation (Nonghyup) and IBM Korea employees will be questioned in relation to the network glitch that has affected services since late Tuesday.”
Then yesterday, Kim You-kyung, head of a special recovery task force at NH Bank, implied in this Joongang Daily story that the outage was an inside job deliberately meant to crash the bank’s network:
“The goal of hacking is for an outsider to infiltrate a system and profit by acquiring specific information. However, in this case the infiltration was made from within Nonghyup and a command to destroy all server systems was attempted simultaneously.”
The Daily article goes on to say that, “Credit card transactions between 4:56 p.m. and 5:30 p.m. on Tuesday were deleted not only from the main server but also from the backup server.”
This more in-depth article today by the Yonhap News Agency, which called the incident premeditated, reported that:
“The prosecutors said they had secured evidence showing that a batch of computer files containing commands to attack a key server of Nonghyup were installed on a laptop owned by an employee of IBM Korea, a Nonghyup subcontractor. The laptop was the source of the April 12 attack.”
The Yonhap News Agency article also reported that an investigator stated:
“We see that the perpetrators prepared for the attack for at least one month, considering our traces of the programs... It will take time to form an outline of the incident because it was designed precisely and meticulously.”
In addition, the article says that the investigators have “... imposed a travel ban on two to three Nonghyup and IBM Korea employees in charge of maintaining the bank’s network security.”
No possible motive for the attack has been given, as of yet.
The Joongang Daily story says that it will take NH Bank a few more days to fully recover:
“The biggest problem with the system now is in credit card transactions. Between April 12, when the server crashed, and April 18, customers made 73,500 transactions worth 57.8 billion won ($53 million)... Nonghyup [NH Bank] said roughly 5 percent of the data on credit card transactions was lost after the servers were forced to shut down. It expects a full recovery of the lost data by April 22.”
NH Bank also stated that Nonghyup it will be compensating customers for all damages, including late loan interest payments and commissions.
I’ll update this story—and hopefully identify a culprit—as more information becomes available.
Robert N. Charette is a Contributing Editor to IEEE Spectrum and an acknowledged international authority on information technology and systems risk management. A self-described “risk ecologist,” he is interested in the intersections of business, political, technological, and societal risks. Charette is an award-winning author of multiple books and numerous articles on the subjects of risk management, project and program management, innovation, and entrepreneurship. A Life Senior Member of the IEEE, Charette was a recipient of the IEEE Computer Society’s Golden Core Award in 2008.
