HSBC has been hit with a cyber attack, a DDoS that tried to flood its system and forced the highstreet bank to take its online and mobile services down in the UK.
In a statement John Hackett, UK Chief Operating Officer, said: "HSBC’s internet and mobile services have partially recovered, and we continue to work to restore a full service. We are continuing to experience attempted denial of service attacks and we are closely monitoring the situation with the authorities."
The attack has provoked political interest, outside of the cyber security industry.
Andrew Tyrie MP, Chairman of the Treasury Committee:
"Only last week I wrote to the regulators to encourage them to take decisive action on IT. This work needs to be led by a single regulator, probably the PRA. It needs to bring together those most involved among regulators and government agencies, and to require improvement at the banks. The sooner this is put underway, the better.
"Episodes like today’s bring a great deal of uncertainty, and sometimes disruption and distress to customers.
"Bank IT systems just don’t seem to be up to the job."
Given the importance of financial institutions, the industry has had a lot to say. Here is a roundup of the industry reaction.
Tim Erlin, director of security and risk at Tripwire
"Financial institutions, including banks, are often at the forefront of data security practices and technologies. They have to be because they are the most targeted organizations. Information security is an arms race, where both sides have to evolve to survive. It’s important to understand that these types of attacks are run by organized crime. There are sophisticated groups behind them, with skills, resources and the objective of profit."
Justin Harvey, CSO at Fidelis Cybersecurity
"HSBC has done the right thing by announcing to customers that it has been targeted by a DDoS attack, it’s just unfortunate that the attack has happened on a date that will disrupt so many users of the online service. Spreading awareness about these types of attacks and reporting them to the authorities is the best way for data to be gathered on an attack which can help track down the culprits and bring cybercriminals to justice."
Richard Brown, Director EMEA Channels & Alliances at Arbor Networks
With financial institutions underpinning whole economies, they’re a particularly choice target vertical for impactful attack. Add to this the fact that it’s payday for many people – meaning more people trying to access the website and therefore a bigger audience – HSBC is an ideal target.
HSBC will have to ensure that the attack was not used as a ‘smokescreen’, drawing the IT department’s attention towards this event while sensitive data is stolen or malware is implanted in the network.
Laurance Dine, Managing Principal, Investigative Response at Verizon Enterprise Solutions
"Unlike other attack types, which expose sensitive data like payment card details, intellectual property or health records, DoS attacks are primarily about disruption. Essentially, these attacks flood online systems, such as internet banking sites or online trading platforms, with vast amounts of data in order to overload them and take services offline. DoS attacks can last several days, so it’s vital to have a plan in place to deal with such a threat.