Cyber criminals hacked the systems of India's Cosmos Bank and siphoned off nearly Rs 944 million ($13.5 million) through simultaneous withdrawals across 28 countries over the weekend, the bank has told police.
The co-operative bank said unidentified hackers stole customer information through a malware attack on its automated teller machine (ATM) server, withdrawing 805 million rupees in 14,849 transactions in just over two hours on Aug. 11, mainly overseas.
Apart from the ATM withdrawals, the hackers transferred 139 million rupees to a Hong Kong-based company's account by issuing three unauthorised transactions over the SWIFT global payments network, the bank said in a police complaint, a copy of which was seen by Reuters.
SWIFT, whose messaging system is used to transfer trillions of dollars a day, said it did not comment on individual cases.
Cosmos Bank, based in the western city of Pune, said in a press statement that its main banking software receives debit card payment requests via a "switching system" but it was bypassed in the attack.
"During the malware attack, a proxy switch was created and all the fraudulent payment approvals were passed by the proxy switching system," the bank said.
The bank declined to reveal the countries, citing security risks.
Police said they were investigating the theft.
A police official, who declined to be named, said they had enlisted the help of experts to find out how authorised transactions were conducted simultaneously in various countries.
India's City Union Bank Ltd reported in February that it had suffered three "fraudulent remittances" of nearly $2 million that had been pushed through the SWIFT financial platform.
In 2016, unknown hackers stole more than $81 million from the Bangladesh central bank's account with the Federal Reserve Bank Of New York. Investigators have made little progress in the case.
"While there is growing awareness to regularly update an organisation's cyber preparedness and defence mechanisms, a large number of institutions wake up to this reality only post an incident which often leads to a loss of reputation and/or financial misappropriation," said Nikhil Bedi, a partner with Deloitte India.