Cosmos signed up to introduce a new switch system back at the end of 2015 / start of 2016 - smartvista from Russian company BPC. Their core banking systems were also provided by infosys.
Sounds like a position where cosmos staff were looking after a new system they weren’t familiar with. I don’t know if they would have hired new staff, contractors or trained up internal staff to look after the new system.
However, over the last couple of years they would have completely changed their switch which would have involved recreating every single account, card, authorisation rule and CBS authorisation and response.
This would have been done by BPC initially, and then internally after that. If there is a completely new system in place with less experienced staff monitoring it then it is going to be easier to subvert / modify parts of that system for fraud like this one.
Smartvista’s front end is just a gui that anyone within the organisation could access. They just need access to an admin account / password on smartvista to make some changes.
I hope this isn’t the case for cosmos, but it sounds like a combination of inadequate controls on a system they were not familiar with causing weaknesses that were exploited.