Cyber Incident Victim: Bank Islami

On October 27, 2018, Bank Islami detected unauthorized activity when its internal security systems identified abnormal transactions originating from Pakistani debit cards outside the country. The Karachi-based bank responded by immediately disconnecting from international payment networks to contain the breach. Bank Islami publicly acknowledged the incident on October 28, 2018, through social media statements, confirming a security compromise in its payment card systems but denying reports of substantial financial losses. The institution claimed to have refunded approximately 2.6 million Pakistani rupees ($19,500) to affected customers, characterizing this as the full extent of verified unauthorized withdrawals. This stance directly contradicted international payment processors' reports that attackers had stolen approximately $6 million through fraudulent transactions.

The State Bank of Pakistan (SBP), the nation's central banking regulator, confirmed that compromised cards from an unspecified financial institution had been used at ATMs and point-of-sale terminals in multiple countries, prompting the SBP to temporarily restrict overseas transactions for its own payment cards. Media reports citing anonymous sources indicated the fraudulent transactions primarily originated from Brazil and the United States, with a significant volume traced to Target Stores' POS systems. Bank Islami maintained that the disputed $6 million in transactions could not have been processed through its systems because it had already disconnected from international networks when these transactions allegedly occurred. The bank's public denial of responsibility for the larger sum coincided with analysis suggesting financial institutions could be held liable for breaches if delayed containment measures are proven. The incident prompted nationwide cybersecurity concerns, being characterized in local media as Pakistan's largest cyberattack to date.