The recent “denial of service” attack on HSBC’s websites around the world may have been an annoyance for customers and the bank, rather than a damaging breach of security. But it’s yet another reminder of the disruption and reputational damage that can be caused by so-called hacktivists.
On October 18, HSBC, a London-based global bank, came under a barrage of Internet traffic that effectively crashed many of its websites around the world. It started at around 5:30 p.m. London time (12:30 p.m. Eastern) and took until 3 a.m. (10 p.m. Eastern) before all sites were fully back up and running. HSBC said on the night of the attack that customer data was not affected but that it did prevent customers using HSBC online services, including Internet banking. Customers, unaware of the attack, expressed their fury on Twitter that HSBC’s websites were unavailable.
Suspicions were first directed at “Anonymous,” a group that has launched such attacks before. In August the group brought down a number of U.K. government websites to show support for Julian Assange, the Wikileaks founder who is fighting extradition to Sweden to face sex-crimes charges by seeking asylum in Ecuador’s London embassy.
But a supposedly British group that appears to be an Anonymous splinter organization called FawkesSecurity claimed responsibility on Twitter for the HSBC attack, and told tech website TheRegister.co.uk that it was targeting banks because “It’s their fault that the worlds [sic] economics are so messed up.”
James Thorpe, a spokesman for HSBC, told CFO European Briefing that the attack was “reasonably global.” HSBC’s Asian sites were least affected, while its U.S. site was down for the longest period of time. Some sites, such as the one in France, were apparently brought down because they were largely hosted in the United Kingdom.
Thorpe said the attack originated from “multiple territories” but declined to say which ones. Neither would the bank comment on press speculation about who was responsible for the attack so as not to give credibility to any one group. But HSBC has accumulated information that it is sharing with regulators and law-enforcement authorities.
Thorpe insisted that this was “an Internet-only issue.” “Customers still had access to all the other channels, such as phone and branch,” he said. “It was just that the website was unavailable for a period of time. It doesn’t affect any internal workings of the bank.” Specifically, corporations’ payment systems were unaffected, he said.
Internet security experts at Arbor Networks say HSBC suffered what is known as a DDOS — distributed denial of service — attack. This is, in effect, a multisource launch using “botnets,” a network of computers that have been compromised and used to execute malicious software, probably unbeknownst to the legitimate owners of the PCs or servers hijacked. The result is that target websites are bombarded with far more requests than the servers can handle, not unlike what happens inadvertently and more benignly when tickets for a popular concert are suddenly released through a single ticket vendor. The swarm of customers is too great for the website to handle all at once.
Disturbingly, botnet functionality can apparently be rented by anyone who has the desire to launch such an attack but who lacks the technical skill to do so. The availability of such tools is said to be becoming much more widespread, as is the frequency of DDOS attacks during the past 6 to 12 months.
Technology website v3.co.uk says the U.S. Financial Services Information Sharing and Analysis Center upgraded its “cyber threat advisory” status from “elevated” to “high” in September, following “unexplained outages” on Bank of America’s and JPMorgan Chase’s websites. “Despite the upgrade, US bank Wells Fargo was hit by an attack just a few days later,” v3.co.uk reported.
HSBC insisted that the attack did not affect its data or any “internal workings.” But experts warn that any business reliant on the web for generating business could be financially affected by losing revenue during the time it is unable to sell because its website has collapsed.
Darren Anstee, solutions architect team leader for Europe, the Middle East, and Africa at technology security company Arbor Networks, said in a recent statement that recent attacks have been “multi-vector”: hitting the target using a combination of tactics aimed at different layers of security. “Attackers are doing this because they know it makes the attacks more difficult to deal with, but not impossible if we have the right services and solutions in place,” he said.
He refuted arguments that it isn’t possible to stop such attacks: “That is simply not the case,” Anstee said. “If you have both on-premise protection as well as cloud-based protection from a service provider, this will help your business to withstand the majority of DDOS attacks.”
Andrew Sawers is editor of CFO European Briefing, a CFO online publication.