Security software

How the Sumitomo Bank Hackers Failed

The largest near-heist in banking history failed because the men accused of trying to carry it out didn't properly fill in a single field in an electronic transfer form.

Artwork: Diego Aguirre
This is one of the extraordinary details that have emerged in the trial of three men accused of having tried in September and October 2004 to rob Japan's Sumitomo Mitsui bank of an eye-watering £229 million ($318 million at today's exchange) from inside its office, in the City of London.

The three men directly involved -- Kevin O'Donoghue, a bank security supervisor and two Belgian software experts, Jan Van Osselaer, 32 and Gilles Poelvoorde, 34 -- admit their role in the attempted theft.

Far from using a sophisticated remote hacking scheme, the accused men chose a much simpler way of breaking into the bank's systems -- they walked in the front door.

At the time, O'Donoghue was working at the bank's offices in a security capacity, and was able to allow the Belgians access to the building on several occasions. On the first visit they are believed to have installed keylogging programs on key PCs to record passwords and account names. During later visits, the men retrieved this information and then used it to attempt money transfers from Sumitomo customers, including Toshiba International, Sumitomo Chemical. Nomura Asset Management, and Mitsui OSK Lines.

The main reason the plot failed -- the men are said to have tried to transfer funds on 21 occasions over a two-day period -- was the men's unfamiliarity with the Swift system used to move money to external accounts, which caused them to enter incorrect data in an important field.

What also seems to have saved the bank was the alertness of its employees, who noticed that their PCs had been tampered with and informed management, who in turn told the police. By the time the men were apprehended, the police had been observing them for some time, hoping no doubt to uncover the full extent of the scheme.

In addition to the main conspirators, several other men, including two British businessmen, Hugh Rodley and David Nash, have been accused of operating accounts and front companies to receive the funds, and possibly masterminding the whole operation. These individuals deny the charges.

At the time news came to light of the attempted theft, the Japanese bank was praised for avoiding the temptation to hide events, which finance houses have been accused of in the past.

"Generally big businesses don't like to talk about any security problems they may have," security expert Graham Cluley of Sophos said at the time.

The jury trial at Snaresbrook Crown Court in London is expected to continue for six weeks.

Subscribe to the Daily Downloads Newsletter

Comments