At least five attacks were carried out in April and May on the Mexican central bank’s Interbank Electronic Payments System (SPEI), according to Lorenza Martinez, director general of the corporate payments and services system at the central bank.
Martinez said that SPEI had not been compromised, and that the problem involved software developed by institutions or third-party providers to connect to the payment system. Though she declined to reveal which banks had been targeted in these attacks, her explanation suggests that the ‘attempted’ hacks last month, in which Grupo Financiero Banorte seemed to be among those affected, were part of this.
Reports on these incidents did not mention any financial losses resulting from the attacks, apart from clarifying that client money had not been affected. The announcement on Monday, however, makes it clear that the attacks did result in a hitherto-unspecified amount being stolen.
“Some transactions were introduced that were not recognised by the issuing bank,” Martinez told Radio Centro. “In some cases these transfers made it through to the destination bank and were withdrawn in cash.”
She once again emphasised that client money had not been affected, as the accounts targeted belonged to financial institutions. The total stolen is not yet known – some Mexican media outlets have put the amount stolen at 400 million pesos ($20.4 million), but according to Martinez, the amount is still being analysed.
As in the incident with Banorte, in which spokespeople declined to comment on whether Banorte had been targeted by cyberattacks, Martinez was reluctant to attribute the theft to a ‘cyberattack’.
“At this time, we cannot reject any hypothesis,” she said. “It was something done on purpose, but how it was done, we are in the process of finding out.”