News by Max Metzger

Banking giant HSBC's online banking portal has been taken by a large DDoS attack, just a couple of days before taxes are due in.

HSBC has beaten off a DDoS attack today according to the international banking giant. One of the bank's spokespeople told press that: “HSBC internet banking came under a denial of service attack this morning, which affected personal banking websites in the UK. HSBC has successfully defended against the attack, and customer transactions were not affected. We are working hard to restore services, and normal service is now being resumed.” 

HSBC's online banking portal had been suffering a large outage over a couple of hours today and this was because the bank had been doing battle, trying to defend against a DDoS attack. The perpetrator was not specified by the spokesperson but the bank later tweeted:

HSBC has also declared it will be refunding customers who have lost money as a result of the attack and is waiving fees racked up by the attack. The smoke is yet to clear and the bank has not released much information on the details of the attack or what was affected. It was however keen to point out to the press that no customer details were compromised. 

While the full story is not currently known, DDoS attacks are commonly used as smoke screens to divert the attentions of a cyber-sec team while the attackers steal actually valuable data. Jonathan Sander, VP of product strategy at Lieberman Software expanded on this to SC: “Often DDoS attacks like this are a distraction technique; bad guys hit you hard on the left so you're too busy to see them sneak in on the right. DDoS attacks where bad guys flood your website with so much work they fold under the pressure aren't even strictly a security issue on their own. Unless the DDoS is part of a recipe to steal stuff, it's a nuisance that is more about someone flexing their muscles than doing damage.” 

With the last day to file tax returns coming up on Sunday, such an attack surely put those who rely on HSBC's banking portal for financial activities in something of a corner with customers flooding the bank's call centres and taking to twitter to vent their spleens on the inconvenience. Responses ranged from the polite,,

to the flamboyant:

While much of the national press, no doubt helped by the public relations team at the bank, have spun this as a success rather than a failure, those within the industry have been less charitable about HSBC's defence of its customers. Brian Spector, CEO of MIRACL told that while not even the world's great financial institutions are immune to cyber-attack: “HSBC is using antiquated authentication technology; what else is not up to speed such that one of the world's largest banks has been taken offline?” Adding, “HSBC is claiming to have “successfully defended” the attack but if your main business is taken offline, and your website is unreachable, you have not successfully defended yourself.” 

Jamal Elmellas, technical director at Auriga, also offered some insight to SC: “This was of course a targeted attack that took advantage of weaknesses in the bank's defences. HSBC suffered a similar type of attack in 2012 which suggests its current security posture isn't as comprehensive as it should be. Social media monitoring, focused threat detection assessment, and real time monitoring of the security operations centre (SOC) would have significantly reduced the odds of a successful attack.” 

Elmellas added, “Yes, HSBC has stepped up and informed its customers and yes it has worked hard to resolve the issue but given it's a repeat attack it could still potentially damage customer confidence in the banks' online capabilities.” 

This is not the first time HSBC's systems have run into trouble. In August last year, the bank's payment systems crashed, preventing customers from transferring money. In 2012, the bank was DDoSed twice at the same time as several other major banks including the US based Capital One.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews