Sorry guys, I'm not sure which forum to ask this question under so I am using the general one.

We have had an intrusion in out bank's website. It appears that access was obtained in order to gain access to the server for use in distributing pirated softward..computer games, music, etc. We see no evidence that they accessed any of our computer banking customer's information.
We don't know the individual or individuals responsible.

Are we required to file an SAR in this case? Are we required to report anything to anyone?

Computer intrusion requires a SAR.

I agree with Skittles. You have to file a SAR. You can include the depth of the intrusion in your narrative to describe the seriousness of the intrusion.

You would not only file the SAR, but you would submit a copy of the SAR form and narrative to the U.S. Attorney's office for the district of your bank's headquarters location; and you would report the incident at www.us-cert.gov (Homeland Security's new cyber incident section). Most importantly, you should have a competent audit or IT person print the audit logging reports that you maintain for that system (I think you said a server), in order to retrieve and maintain access-event data, time and date information, and, assuming this is network-based, any tell-tale ISP information.

It is not just important to complete the SAR and technical report gathering, but it is equally if not more important to mitigate future events. I'm puzzled how you would immediately conclude this was someone "hacking" into your system -- assuming there are IDS and firewall appliances or software fronting your controller -- and I'm wondering if this could be a previous or disgruntled webmaster-type person. Anyone with a userID and password to your site can vandalize; it doesn't mean an external party did this. Also, what motivation would a non-interested party have in wasting time at your particular organization. The E&Y/FBI annual report of computer/technology crimes notes that over 90% of these types of incidents are related to an "insider" -- i.e., consultant, vendor, employee, etc., -- who actually knows of your log-on routines and userID naming conventions.

To the original Anon – Judging by your question, it appears you do not have an effective Incident Response Plan in place - either standalone or as part of your Information Security Program? Get one in place ASAP.

The Incident Response Plan should detail escalation steps (and other technical response actions) during or after a suspected breach occurs thereby decreasing your decision reaction time and decreasing the probability that the perpetrator will either destroy forensic evidence, destroy or capture sensitive information, or plant Trojan style buggies that will jump out later. As the previous poster suggests, the forensic evidence from the suspected intrusion must be preserved under proper custody and at some point turned over to law enforcement if that is the course determined by the Incident Response Plan or management override.

During your Incident Response process, keep a running total of the costs and the damages to include lost productivity, consultant fees, hardware/software and the like. There are certain dollar loss thresholds (I think like $10k) in the Computer Fraud and Abuse Act that will determine whether the US Attorneys will be interested in your case – or refer you back to local law enforcement.

-g

If you;re in California, you might want to check out the California state law requiring specific disclosures of security breaches relating to personal information. It may not apply if you are certain that cutsomer information was not compromised, but it may be worth reviewing anyway.

Look at the instructions for the SAR. There is a specific definition for Computer Intrusion that says:

"2. Computer Intrusion. For purposes of this report, “computer intrusion” is defined as gaining access to a computer system of a financial institution to:

a. Remove, steal, procure, or otherwise affect funds of the institution or the institution’s customers;
b. Remove, steal, procure or otherwise affect critical information of the institution including customer account information; or
c. Damage, disable or otherwise affect critical systems of the institution.

For purposes of this reporting requirement, computer intrusion does not mean attempted intrusions of websites or other non-critical information systems of the institution that provide no access to institution or customer financial or other critical information."