5 Great Bank Heists

Whilst researching for a proposal to a large government, I wanted to draw a story that is relatable to non-security folk that work with data every day.

There were a few analogies but the simplest was going to be Bank Robberies.

Special thanks to Moneywise.com for providing the top ten bank robbery stories.

#4 The Banco Central burglary

Stolen: $71.6 million

To pull it off, a 25-member gang set up a fake landscaping business. They spent three months digging a 256-foot tunnel that led up through the bank's vault floor.

Only eight people were arrested, and just 20 million real were recovered.

SC: This is akin to an advanced persistent threat (usually teams) spending months scoping the target, gaining access, watching and then taking action when required. These are the bad bad guys and are not often employed to make a quick buck. They are not looking to steal data but are certainly observing the use of data. Usually corporate espionage or nation-state. They will use A team tools, tactics and techniques and surprisingly not all of these are cyber.

#3. The Securitas depot robbery

Stolen: $83 million

The largest cash robbery in British history went down in 2006, at a security services company’s warehouse in Kent. An inside man filmed the interior of the Securitas depot in preparation.

Then, men clad in elaborate masks kidnapped the branch manager and held his family hostage. The robbers took him to the warehouse and forced him to give them access to the cash cages.

The crew stole about $83 million. Despite their clever disguises, some of the robbers were caught, and the makeup artist who designed the masks became a key witness in the case.

SC: A colleague of mine when working on insider threat software once said that the easiest way to get access to data in an organization is not to break through the various defences employed in cyber but to blackmail an employee to bring you the information. This is an insider threat and in my opinion, is under-invested in companies and presents the biggest threat and hardest to manage. The Securitas Depot robbery was an extreme form of insider threat.

#2 The Central Bank of Iraq robbery

Stolen: Over $920 million

Another robbery in Baghdad became the largest bank heist in history. The mastermind was none other than Iraqi dictator Saddam Hussein.

One day before the Iraq War began in 2003, he sent three large trucks to the Central Bank. He also sent his son Qusay a handwritten note asking to withdraw nearly $1 billion to keep it from enemy hands. The money was loaded into vans and driven away.

Most of the cash was recovered in the ensuing raids — but it doesn’t end here. Tasked with counting the illicit loot, American soldiers made off with hundreds of thousands of dollars for themselves and their families. Thirty-five service members were caught

SC: Now I acknowledge that this could be contentious. He was a dictator after all and could in fairness argue this wasn't a robbery. However, regardless of the view; this is an example of authorized access. Sometimes in the guise of BEC (business email compromise) and more often associated with financial fraud like wire transfers or gift card fraud.

#1 Bank of Australian Citizen Data

Stolen: Over $150 million in damages and counting

There has been a lot of talk in recent media from a range of various Australian organizations in response to the planned (and passed through the lower house) data privacy bill. Fining up to 50m or 30% of adjusted turnover.

The theft of data using unauthorized access, authorized or just plain published (re: Optus) for extortion is a pittance compared to potential fines, remediation costs (Optus has set aside 150m) and in the event of Medibank potentially crippling class action for leaking very sensitive and private information on their customers past and present. The damage that surrounds something like an abortion csv being published feels uncomfortable to write about, and I can't even begin to imagine how it would make a victim feel and the damage it might cause. Medibank will be dealing with fraudulent cases on claims for a long time to come.

It is time that the custodians of this data start to think about how to wrap controls around the data itself. Start with knowing where your data is. Not just where you think the data sits. Ensure your PIM/PAM solutions take pride of joy in your daily maintenance lists. Develop a strong and robust insider threat program that can provide DLP capability. And finally, pick up the phone and give me a call as we can wrap some controls around individual pieces of data themselves, to the point that if you don't have authorized access there is nothing for you to steal. Finally, use the same tool to share tokenized data with your third-party suppliers. In most cases, this will suffice to significantly reduce your attack surface.