Two Breaches, One Bank: Lessons from The ICBC Cyber Crisis
In late 2023, a major disruption rippled across the $26 trillion U.S. Treasury market. Bank trades halted. Communication systems collapsed. Billions of dollars were at risk.
The source? A ransomware attack targeted one of the world's largest banks: the Industrial and Commercial Bank of China (ICBC).
Less than a year later, the bank faced yet another breach — this time in its London branch.
"ICBC faced the worst of both worlds," explains Raghu Nandakumara, senior director of industry solutions marketing at Illumio. "Service disruptions hit in 2023, followed by a data breach in 2024."
Both incidents exposed systemic vulnerabilities in global banking operations and raised questions about the financial sector's resilience to sophisticated cyber threats.
A closer look: Anatomy of two breaches
November 2023: ICBC U.S. ransomware attack
In November 2023, the LockBit group launched its calculated ransomware attack on ICBC’s U.S. broker-dealer unit.
This strike disrupted key systems that are crucial for managing U.S. Treasury trades and repo financing.
As a result, trade clearances stopped, and payment delays rippled across the market.
Key details on the operational and financial impacts
- System shutdowns: Core platforms for settling payments and clearing trades were inaccessible for days.
- Emergency actions: ICBC injected capital into its U.S. division to stabilize operations after taking on a $9 billion debt to BNY Mellon, which was more than the division’s net capital.
- Workarounds: Bank employees relied on USB drives to process trades manually. During the crisis, they used Gmail instead of their corporate emails, which raised security concerns.
The SEC’s response
The U.S. Securities and Exchange Commission (SEC) investigated the 2023 ICBC breach, finding issues with record-keeping and communication.
They didn’t issue any fines. But the incident made clear: operational resilience is non-negotiable.
“The SEC’s response was interesting—a bit of a slap on the wrist, saying 'Don’t let this happen again.' Yet, also acknowledging ICBC’s transparency and quick response." – Raghu Nandakumara
September 2024: ICBC London branch data breach
Less than a year later, the Hunters International ransomware group breached ICBC's London branch.
Attackers stole 6.6 terabytes of data, including sensitive customer information and internal operational files.
"The challenge with data exfiltration is the unknown — how will attackers use that data in the future?" – Raghu Nandakumara
Key details of the 2024 ICBC incident
- Ransom demands: The attackers threatened to release the data if their financial demands were unmet.
- Global reputation: The breach highlighted ICBC’s systemic vulnerabilities and raised questions about its cross-border operational security.
"Both the 2023 and 2024 ICBC breaches exposed critical gaps in their security defenses — showing that, despite commitments to improvement, change doesn’t happen overnight." – Raghu Nandakumara
Is global banking at risk?
How could weakness at one branch put an entire institution — and its global operations — at risk?
The ICBC breaches, first in the U.S. and then in London, showed exactly how: The attacks disrupted operations, damaged the bank’s reputation, and exposed critical gaps in its cybersecurity defenses.
Raghu explains, “The ICBC breaches showed a harsh truth: A single weak spot, in one branch or system, can put the whole network at risk.”
Both ICBC breaches revealed major weaknesses in how their financial operations work:
- System dependencies: The U.S. attack showed how fragile interconnected trade systems are, where a single point of failure can disrupt markets worldwide.
- Cross-border inconsistencies: The London breach showed gaps in harmonized cybersecurity protocols.
- Crisis vulnerabilities: Both incidents showed the operational risks of using temporary, insecure solutions such as manual trading or unsecured email platforms.
“Assume breach is reality. Attacks are inevitable. The ICBC breaches are an example of that.” – Raghu Nandakumara
Tracking major financial breaches
ICBC’s breaches are part of a growing trend of cyberattacks aimed at financial institutions.
Key incidents include:
- 2015 Carbanak Gang: This cybercrime group stole over $1 billion by using malware to hack banks and change account balances.
- 2016 Bangladesh Bank Heist: Hackers stole $81 million from Bangladesh Bank’s account at the Federal Reserve Bank by exploiting vulnerabilities in the SWIFT payment system.
- 2017 Equifax Data Breach: This was one of the largest data breaches in history, affecting 147 million people. Hackers found a weakness in Equifax's web application and used it to get access to sensitive personal information.
- 2018 Cosmos Bank Attack: Cybercriminals stole $13.5 million—hacking the bank’s ATM server to trigger fake transactions.
- 2019 Capital One Data Breach: A former employee exploited a misconfigured firewall to access the personal data of more than 100 million customers.
- 2020 Finastra Ransomware Attack: The fintech giant was hit by a ransomware attack which disrupted its services and operations.
- 2021 CNA Financial Ransomware Attack: One of the largest U.S. insurance companies paid $40 million after a cyberattack encrypted its data.
- 2022 Ronin Network Hack: Hackers stole $625 million from the blockchain-based gaming network, affecting financial transactions in the ecosystem.
- 2023 ICBC Ransomware Attack: The LockBit group attacked ICBC’s U.S. financial services division with ransomware, disrupting U.S. Treasury trading.
- 2023 MOVEit Transfer Data Breach: A flaw in the MOVEit Transfer software exposed sensitive data from several financial institutions.
- 2024 ICBC London Ransomware Attack: The Hunters International ransomware group stole 6.6 terabytes of data from ICBC’s London branch and threatened to release it if their demands weren’t met.
- 2024 Cloud IT Service Provider Attack: A ransomware attack on a cloud IT provider caused outages at 60 U.S. credit unions, highlighting the risks of relying on third parties.
The 2016 Bangladesh bank heist: A turning point
- What happened: In February 2016, cybercriminals exploited weaknesses in the SWIFT payment system to steal $81 million from Bangladesh Bank’s account at the Federal Reserve Bank of New York.
- How they did it: Hackers installed malware to spy on the bank’s systems. They observed SWIFT transactions, manipulated them, and sent fraudulent transfer requests. They aimed for nearly $1 billion, but a typo in one request triggered suspicion and stopped the attack early.
- Impact: The heist resulted in significant financial loss and reputational damage, exposing weaknesses in interbank transfer protocols and the need for stronger security measures.
- Key takeaways:
- Secure payment systems are critical: Interbank systems like SWIFT require robust security protocols to prevent manipulation.
- Constant monitoring is essential: Early detection through monitoring and anomaly alerts could have reduced the impact.
How DORA is shaping cyber resilience for the financial sector
The EU’s Digital Operational Resilience Act (DORA) provides a framework for addressing many vulnerabilities revealed in these breaches.
DORA emphasizes:
- Resilience testing: Ensuring systems can withstand sophisticated cyberattacks
- Incident reporting: Establishing transparency and accountability for breaches
- Proactive risk management: Identifying and mitigating operational risks before incidents occur
"The goal of regulations like DORA is simple: prevent cyberattacks from causing major damage — whether to a single business or the entire financial system." – Raghu Nandakumara
As cybercriminals evolve, the series of cyberattacks on the financial sector from 2015 to 2024 highlights two urgent needs: strong regulatory frameworks and greater cyber resilience within the financial services and their key service providers.
Are you interested in learning more about DORA compliance? Download our free eBook, Strategies for DORA Compliance: The Key Role of Microsegmentation.
Sources: