Global bank sanctions database at risk, warns former GCHQ security specialist

US-based database intended to help banks avoid breaching far-reaching US sanctions could be at risk of attack

A banking database of customer information represents a major cyber security risk that could attract attack from both states security apparatus as well as cyber criminals, according to a warning from an ex-GCHQ security specialist.

Brian Lord, now a managing director at security services company PGI, has warned that the database, known as Clarient Global, is such a honeypot of information that it will inevitably be targeted.

Clarient Global is majority owned by the Depository and Clearing Trust Corporation, a New York-based organisation. It was established in response to the increasingly aggressive execution of US sanctions against states such as Iran, which it asserts globally.

The database contains information about banks' institutional clients and their trading activities and is intended to provide banks with a centralised reference to help them avoid breaching US sanctions.

"What this proposal appears to be is putting all that data in one repository, and this makes the value to a hostile actor significantly more than the sum of its parts," he told the Daily Telegraph. "Because the accumulative value of this data is so large it would attack state interest, it is going to be valuable to the highest possible level of sophisticated actor."

The sheer number of banks involved in supporting the project - both contributing information, as well as using it as part of their own due diligence processes - will leave it wide open, believes Lord.

"Regardless of how good your technology is, one of the greatest vulnerabilities is the human being and the user, and what you're doing here is creating a number of users, each of which has their own culture and modus operandi," he said. "You're putting them on to the same system and expecting them to use it the same way."

Lord's warning comes after it was revealed that an attack on US investment bank JP Morgan saw gigabytes of internal data transmitted to servers in Russia.

Punishments for contravening US sanctions can be harsh, and are levied against companies that have any kind of economic activity in the US. French bank BNP Paribas was forced to pay $8.9bn after admitting money laundering charges, while HSBC, Lloyds Bank and Standard Chartered have also been hit with big fines from US regulators in recent years.