Bank Negara Malaysia imposed a RM1 million administrative monetary penalty on Bank Kerjasama Rakyat Malaysia Berhad for cybersecurity and customer information protection failures linked to a ransomware attack that compromised the bank’s IT infrastructure in September 2024. The enforcement action, publicly disclosed on April 1, 2026, marks the second penalty levied against the institution within a year and signals an intensifying regulatory stance on digital risk management across Malaysia’s financial sector.
Key Facts At A Glance
- Bank Negara Malaysia imposed the RM1 million administrative monetary penalty on Bank Kerjasama Rakyat Malaysia Berhad on January 20, 2026; the bank settled the fine six days later on January 26, 2026.
- The penalty was linked to a September 2024 cybersecurity incident in which an external threat actor gained unauthorized access to Bank Rakyat’s IT infrastructure.
- The threat actor was later identified by cybersecurity monitoring groups as Hunters International, a ransomware-as-a-service group, which reportedly exfiltrated approximately 463 gigabytes of data encompassing 144,015 files.
- BNM found breaches under two regulatory frameworks: the Risk Management in Technology Policy Document and the Management of Customer Information and Permitted Disclosures Policy Document.
- The central bank cited inadequate cybersecurity controls, weaknesses in incident response processes, and a lack of reasonable care in ensuring compliance.
- This is the second administrative monetary penalty imposed on Bank Rakyat within approximately seven months, following a RM2.85 million fine in June 2025 for separate service disruption failures.
- Bank Rakyat has since enhanced its IT infrastructure, monitoring capabilities, threat detection systems, and governance arrangements.
The September 2024 Incident
The enforcement action traces directly to a cybersecurity incident that Bank Rakyat first publicly acknowledged on September 3, 2024, describing it as a “possible data infringement” involving customer information. The bank stated at the time that it had contained the issue through proactive measures and notified affected customers via letters and SMS. It also confirmed the incident had been reported to the relevant authorities.
Cybersecurity monitoring groups subsequently linked the attack to Hunters International, a ransomware-as-a-service operation with observed ties to the disbanded Hive ransomware group. Hunters International reportedly exfiltrated approximately 463.2 gigabytes of data comprising 144,015 files, which it later leaked on its dark web platform after an initial ransom deadline passed without resolution. The leaked data was reported to include sensitive customer financial information, including credit-related files.
Despite Bank Rakyat’s initial public assurances that its banking systems remained secure and fully operational, the scale of the data exfiltration revealed during the subsequent weeks indicated significant gaps in the bank’s threat containment capabilities.
Regulatory Findings And Penalty Framework
BNM’s investigation concluded that the incident exposed breaches under two distinct regulatory instruments. The first is the Risk Management in Technology Policy Document, commonly referred to as RMiT PD, which requires financial institutions operating in Malaysia to maintain robust cybersecurity frameworks capable of detecting, preventing, and responding to threats, including clear protocols for incident response, system recovery, and stakeholder communication. The second is the Management of Customer Information and Permitted Disclosures Policy Document, which mandates strict controls to safeguard customer data against misuse or unauthorized access.
The central bank concluded that Bank Rakyat had failed to implement adequate cybersecurity standards under RMiT PD and had not applied sufficient controls to protect customer information under the second policy document. BNM identified the root causes as inadequate cybersecurity controls and deficient incident response capabilities. In determining the penalty amount, BNM said it weighed the severity of the breaches, the bank’s failure to exercise reasonable care in ensuring compliance, its past compliance record, and the adequacy and effectiveness of remedial measures taken following the incident.
A Pattern Of Enforcement
The January 2026 penalty is the second formal enforcement action against Bank Kerjasama Rakyat Malaysia Berhad within a short span. In June 2025, BNM imposed a RM2.85 million penalty on the institution for separate violations involving repeated service disruptions to its e-banking channels, ATMs, and card systems between June 2023 and December 2024. Those outages breached RMiT PD thresholds, which cap unplanned system downtime at four cumulative hours over a rolling 12-month period and 120 minutes per individual incident. BNM found that the disruptions stemmed from weaknesses in the bank’s response and recovery processes.
The combined total of penalties imposed on Bank Rakyat across both actions amounts to RM3.85 million within the span of seven months, making the institution one of the most-penalized under Malaysia’s financial technology compliance framework in recent memory.
Broader Regulatory Context
BNM’s escalating enforcement activity against Bank Rakyat is consistent with a wider tightening of cybersecurity oversight across Malaysia’s financial sector. The central bank updated its RMiT PD requirements in 2025 to reflect rising digital risks, and its Annual Report 2025 disclosed that digital risk management remains an active supervisory priority. BNM stated publicly that it will not hesitate to take appropriate supervisory and enforcement actions against any financial institution that fails to meet its legal and regulatory obligations, framing the Bank Rakyat action as consistent with its published enforcement approach.
Bank Rakyat is Malaysia’s largest Islamic cooperative bank by assets, with total assets of RM117.33 billion reported as of end-2023. It operates 148 branches, more than 986 ATMs, and 131 Ar-Rahnu X’Change outlets nationwide.