A Bangladesh government-appointed panel investigating the theft of US$81 million from the country's central bank has found that international banking payments network SWIFT committed a number of mistakes in connecting up a local network.
"We have shown that SWIFT made a number of errors that made it easy for the hackers," Mohammed Farashuddin, a former governor of the Bangladeshi central, said.
He said SWIFT, a cooperative owned by 3000 financial institutions, could not escape responsibility as it had connected its network to the central bank's new real-time gross settlement (RTGS) system launched in October for domestic transactions.
"SWIFT is responsible for the heist of Bangladesh Bank as it approached the central bank for the installation of RTGS real-time gross settlement," Farashuddin said.
SWIFT has already rejected allegations made by Dhaka that it had been at fault, saying its financial messaging system remained secure and had not been breached by the hackers during the attack on Bangladesh Bank.
The hackers broke into the systems of the central bank in early February and issued instructions through the SWIFT network to transfer US$951 million of its deposits held at the New York Federal Reserve Bank to accounts in the Philippines and Sri Lanka.
Most of the transactions were blocked but four - amounting to US$81 million - went through, prompting allegations by Bangladeshi officials that both the Fed and SWIFT had failed to detect the fraud.
Bangladeshi police and a bank official said earlier this month that the central bank became more vulnerable to hackers when technicians from SWIFT connected the new bank transaction system to SWIFT messaging three months before the theft.
The local Daily Star newspaper quoted Farashuddin as saying SWIFT failed to implement 13 security measures in the installation of the system.
Farashuddin is due to submit his final report to the government in the next few days.
A spokeswoman for SWIFT said she had no immediate comment.
In a letter to users dated May 3, SWIFT told its bank customers that they were responsible for securing computers used to send messages over its network.