World Bank Under Cyber Siege in 'Unprecedented Crisis'

Friday , October 10, 2008

By Richard Behar

The World Bank Group's computer network — one
of the largest repositories of sensitive data about the economies of
every nation — has been raided repeatedly by outsiders for more than a
year, FOX News has learned.

It is still not known how much information was stolen. But sources
inside the bank confirm that servers in the institution's
highly-restricted treasury unit were deeply penetrated with spy
software last April. Invaders also had full access to the rest of the
bank's network for nearly a month in June and July.

In total, at least six major intrusions — two of them using the same
group of IP addresses originating from China — have been detected at
the World Bank since the summer of 2007, with the most recent breach
occurring just last month.

In a frantic midnight e-mail to colleagues, the bank's senior
technology manager referred to the situation as an "unprecedented
crisis." In fact, it may be the worst security breach ever at a global
financial institution. And it has left bank officials scrambling to try
to understand the nature of the year-long cyber-assault, while also
trying to keep the news from leaking to the public.

• Click here to see the e-mail.

• Click here to visit FOXNews.com's Cybersecurity Center.

The crisis comes at an awkward moment for World Bank president
Robert Zoellick, who runs the world's largest and most influential
anti-poverty agency, which doles out $25 billion a year, and whose
board represents 185 member nations. This weekend, the bank holds its
annual series of meetings in Washington — and just in advance of those
sessions, Zoellick called for a radical revamping of multilateral
organizations in light of the global economic meltdown.

Zoellick is positioning himself and the bank as an institution that
can help chart a new path toward global financial stability. But that
reputation, more than ever, depends on the bank's stable information
infrastructure.

The fact that the information vaults of the World Bank have been repeatedly pried open won't help Zoellick's case.

While it remains unclear how much data has been pilfered from the
bank, it's a lot. According to internal memos, "a minimum of 18 servers
have been compromised," including some of the bank's most sensitive
systems — ranging from the bank's security and password server to a
Human Resources server "that contains scanned images of staff
documents."

• Click here to see bank memos about the intrusions.

One World Bank director tells FOX News that as many as 40 servers
have been penetrated, including one that held contract-procurement data.

Despite the gravity of the break-ins, the bank is trying hard to
pretend to outsiders it didn't happen. "There were attempts to hack the
bank's computer systems last summer," says a World Bank spokesman.
"However, there was no compromise of confidential information."
Requests for on-the-record interviews with Zoellick and other top
officials were declined.

Meanwhile, the bank's treasurer, Kenneth G. Lay, has been briefing
Zoellick's senior management team regularly on the situation since
April.

Other bank officials are also sleuthing. The bank's chief
information officer, Guy De Poerck, has engaged Price Waterhouse
Coopers to do a confidential million-dollar assessment that is expected
to tell him what's going on in his own department. And a 22-page
internal report by a computer security company named MANDIANT, dated
August 18, fleshes out many details of the June-July breaches. But very
few people have ever seen the report, and nobody has been permitted to
retain a paper copy.

At the same time, De Poerck has been downplaying the problem to the
bank's 10,000 rank-and-file staffers as mere intrusion "attempts" in
his e-mails. Yet most of those staffers have been asked to change their
password three times in the past three months.

"As previously reported in mid-July," CIO De Poerck and a senior
bank treasury official wrote in an August announcement to employees,
"we would like to reassure you that there is no evidence that Bank
staff personal information is at risk from the recent external
attempts."

It's unclear how that statement squares with an internal memo to De
Poerck a month earlier revealing that a sensitive Human Resources
server "that contains scanned images of staff documents" had been
successfully breached. De Poerk declined to comment to FOX News about
any of these details.

• Click here to see De Poerck's memo.

In reality, the situation is serious enough that federal
investigators have been called in. "We're not talking about hackers
playing games or messing up our website," insists a senior member of
the bank's IT department at its Washington headquarters. "It's about
the FBI coming last summer and saying, 'You should take a look at your
systems because we think something weird is going on.' It's about the
intruders knowing what information they wanted — and getting to it
whenever they wanted to. They took our existing data stores and
organized them in a way that they could be easily accessed at will."

In plainspeak: "They had access to everything," says the source.
"They had the keys to every room at the bank. And we can't say whether
they still do or don't until we fully and openly address what's
happening here."

The data raids are not a matter of stealing inconsequential bits and
bytes. The World Bank's data center is literally a treasure trove of
vital financial information from around the globe. As a clearinghouse
for financial data from both governments and companies, the bank's
computers could provide intruders with both a financial and
intelligence gold mine — from inside information on bids and contracts
to the minutes of confidential board meetings.

If the bank takes a position in a currency, for example, that
currency usually moves in response to the bank's actions. Stocks and
bonds can also swing up and down based on World Bank announcements. "If
you know beforehand that the bank is going to put an order in for oil
pipelines in Chad or healthcare systems in India, you can actually make
a good amount of money," says one insider.

Although the bank typically provides only a fraction of the
financing for a project, its influence on those projects is immense.
Private corporations see the bank's stamp of approval as a guarantee
that their own larger investments will be safe — and profitable.
Knowing in advance what projects the bank's board will reject could be
just as profitable.

http://www.foxnews.com/story/0,2933,435681,00.html