HSBC has been forced to apologize to customers after a DDoS attack disrupted key online systems, meaning many users couldn’t log-in to their internet banking portals.
A statement from the bank claimed this morning’s denial of service attack affected “personal banking websites in the UK.”
“HSBC has successfully defended against the attack, and customer transactions were not affected. We are working hard to restore services, and normal service is now being resumed. We apologise for any inconvenience this incident may have caused.”
The outage persists for many customers as of the time of writing, with countless HSBC online banking users taking to social media to vent their anger.
The attack comes at a particularly sensitive time given there are only a couple of days left before UK taxpayers can file their returns without being charged interest on late payments.
As the last working day of the month, it’s also pay day for many people – a fact the DDoS-ers may well have had in mind when timing the attack.
A new report from security firm Imperva released yesterday showed that attacks on UK websites soared by over 20% in Q4 2015, placing the country as the second most targeted in the world behind the US.
Justin Harvey, CSO at Fidelis Cybersecurity, had advice for firms caught in the same situation as HSBC.
“Strong external network-facing access control lists (ACLs) should be instituted to keep out-of-profile traffic off services, robust monitoring should be put in place to identify these types of attacks in their early stages, and high-risk organizations should oversubscribe their network bandwidth to better absorb the brunt of inbound DDoS attacks,” he said.
“The upstream ISP should also be notified to place mitigations on their connected devices to protect networks.”
However, Lee Munson, security researcher for Comparitech, urged commentators not to blow things out of proportion.
“The bank’s systems have not been breached. No bank accounts have been raided and no personal information has been stolen,” he argued.
“The UK financial sector remains resilient to cyber-attack thanks to operations such as Wire Shark and Resilient Shield which have encouraged sharing of threat intelligence and greater communication between both British and US banks.”
The bank also said it was “working closely with law enforcement authorities to pursue the criminals responsible.”
However, Ryan O’Leary, senior director of WhiteHat Security’s Threat Research Centre argued that its time could be better spent on preventative measures, especially given that finding and prosecuting attackers can be a challenge.
“Those who can pull off a DDoS attack are extremely prevalent; if one individual or group were able to execute a DDoS attack, it is very likely many others could do the same,” he added. “The company’s issue is not the attacker, it’s the system that is susceptible to the attack. Fix the issue and your attacker problem goes away.”