HSBC is working closely with law enforcement authorities to pursue the criminals responsible for today's attack on our internet banking.— HSBC UK (@HSBC_UK) January 29, 2016
HSBC has also declared it will be refunding customers who have lost money as a result of the attack and is waiving fees racked up by the attack. The smoke is yet to clear and the bank has not released much information on the details of the attack or what was affected. It was however keen to point out to the press that no customer details were compromised.
While the full story is not currently known, DDoS attacks are commonly used as smoke screens to divert the attentions of a cyber-sec team while the attackers steal actually valuable data. Jonathan Sander, VP of product strategy at Lieberman Software expanded on this to SC: “Often DDoS attacks like this are a distraction technique; bad guys hit you hard on the left so you're too busy to see them sneak in on the right. DDoS attacks where bad guys flood your website with so much work they fold under the pressure aren't even strictly a security issue on their own. Unless the DDoS is part of a recipe to steal stuff, it's a nuisance that is more about someone flexing their muscles than doing damage.”
With the last day to file tax returns coming up on Sunday, such an attack surely put those who rely on HSBC's banking portal for financial activities in something of a corner with customers flooding the bank's call centres and taking to twitter to vent their spleens on the inconvenience. Responses ranged from the polite,,
Cheers @HSBC_UK for once again being unavailable for online banking when I need it. It's getting silly now— Camila de Paula (@camiladepaula_y) January 29, 2016
to the flamboyant:
While much of the national press, no doubt helped by the public relations team at the bank, have spun this as a success rather than a failure, those within the industry have been less charitable about HSBC's defence of its customers. Brian Spector, CEO of MIRACL told SCMagazineUK.com that while not even the world's great financial institutions are immune to cyber-attack: “HSBC is using antiquated authentication technology; what else is not up to speed such that one of the world's largest banks has been taken offline?” Adding, “HSBC is claiming to have “successfully defended” the attack but if your main business is taken offline, and your website is unreachable, you have not successfully defended yourself.”
@HSBC_UK online banking down AGAIN? Really? It's almost like you've done something to annoy hackers, like laundering billions of $ maybe?— Deej Sullivan (@sullivandeej) January 29, 2016
Elmellas added, “Yes, HSBC has stepped up and informed its customers and yes it has worked hard to resolve the issue but given it's a repeat attack it could still potentially damage customer confidence in the banks' online capabilities.”
This is not the first time HSBC's systems have run into trouble. In August last year, the bank's payment systems crashed, preventing customers from transferring money. In 2012, the bank was DDoSed twice at the same time as several other major banks including the US based Capital One.