Mexico’s central bank said on Wednesday that a cyber-attack had sucked around 300 million pesos ($15.33 million) in fraudulent transfers from five companies, but it was unclear how much thieves had managed to pull out in cash.
Bank of Mexico Governor Alejandro Diaz de Leon said authorities were still deciphering how the cyber criminals, who were detected in late April, had tapped into banks’ connections to the payment system to send false orders.
He declined to identify the companies that had been hit, only saying that three banks, a broker and a credit union had seen fake transfers.
Diaz de Leon said preliminary estimates pointed to around 300 million pesos in “irregular transactions,” but he said some of that had not been withdrawn and could still be recovered.
Sources close to the investigation told Reuters that there were cash withdrawals from dozens of banks around the country shortly after hundreds of fraudulent transfers.
A slowdown in transfers since late April raised concerns of a cyber-attack on banks in Latin America’s No. 2 economy, where worries about the financial system run deep after repeated bank crises in the 1980s and 1990s.
The central bank took more than two weeks to admit there had been a cyber-attack and provide details about potential losses.
“We are very conscious that this has affected users, and we are sorry about that and we are taking immediate actions to recover the speed of the system with full security,” Diaz de Leon said.
The electronic payments system, called SPEI, was not attacked directly and depositors’ money is safe, he said. Until a full investigation was complete, it is impossible to say that all vulnerabilities had been closed, he added.
Mexico’s SPEI system is a domestic network similar to the SWIFT global messaging system that moves trillions of dollars each day.
The attack on Mexican banks is similar to one of the biggest-ever known cyber heists, when thieves stole $81 million from Bangladesh’s central bank in 2016.
Mexico’s central bank said on Tuesday that it would create a new unit to design and issue guidelines on information security for the country’s banks.
Diaz de Leon said the central bank had an internal cyber security unit since 2013, and had beefed up protections in 2016, following the Bangladesh attack.