ANZ probes staff access to critical systems

The bank has retained outside auditors after claims that some former employees retained entry to internal systems

ANZ probes staff access to critical systems

ANZ has hired external auditors to probe its controls on staff access to critical technology platforms after claims that some former employees retained access to internal systems.

ANZ has retained auditors KPMG and PwC and launched a recruitment effort to bring aboard specialist employees working in “access and identity management” to shore up controls on staff access to internal systems, according to a report by The Sydney Morning Herald.

Major banks deflect thousands of cyber attacks per day – and that number has skyrocketed during the pandemic, according to the Herald. Financial institutions are investing hundreds of millions of dollars in strengthening their digital security. Despite this, a recent report by the Reserve Bank of Australia warned that a successful cyber attack against one of the nation’s largest banks was “almost inevitable.”

Unauthorised access to banks’ internal systems creates risk because it can allow outsiders to monitor sensitive information, including customer data or intellectual property, that can be sold on the black market, the Herald reported. Hackers can also use unauthorised access to mount a ransomware attack.

An ANZ spokesman told the Herald that cybersecurity is one of the bank’s “highest priorities” and that it has multiple layers of safeguards that “all work together to protect the bank and our customers.”

“ANZ has multiple processes that terminate critical system access when staff members or contractors leave ANZ,” the spokesman said. “This process has been tested and audited by both internal and external teams and found to be effective. ANZ also has a specialist team to monitor for and manage any data breaches across the bank, and there have been no material breaches related to ANZ employees or contractors that have left the bank.”

However, multiple ANZ sources told the Herald that the bank’s ageing systems and out-of-date human resources records have hindered its ability to effectively monitor staff access – which has allowed some former employees to retain their access to critical systems.

Read next: Successful hack of a major bank ‘almost inevitable’ – RBA

“It’s not like bank robbery where they come with guns and start robbing a bank from the front end,” one source told the publication. “Now they’re being really smart – they’re going in from the back.”

Current and former ANZ employees told the Herald that the bank has a culture of embedding security controls into operations. However, some offshore technology developers on short-term contracts have managed to evade these  controls.

“It’s the front door. Access management is the outer layer to prevent attacks,” another source told the Herald. “If that’s compromised, many other subsequent layers will be exposed. That’s why it’s important to get it right. Sometimes with rushed development work, there is privileged access that are not deleted or removed after. Since the development work had been done offshore, a lack of documentation leads to a lack of visibility.”

ANZ’s “return to work” program, which aims to increase the number of women working in technology, has advertised several roles in “identity and crisis management” across India, Australia and New Zealand, the Herald reported. These roles focus on securing and controlling access to the bank’s technology systems.

An ANZ spokesman told the publication that the bank uses an array of security tools and continuously upgrades its capabilities as threats evolve.

“We also recognise that our people are our first line of defence and embedding a culture of security across the bank is important, with extensive education programs to help everyone do their bit to keep us secure,” he said.