Although the bank says it ‘successfully defended against the attack,’ personal banking services were inaccessible for several hours.
HSBC’s Internet banking services were made unavailable for several hours on January 29, 2016 as the bank’s system came under a DDoS attack, BBC News reports.
“We are working hard to restore services after HSBC internet banking came under a denial of service attack on Friday 29 January, which affected personal banking websites in the UK,” the bank said in a statement. “HSBC has successfully defended against the attack, and your transactions were not affected.”
As the BBC notes, the attack was launched not only on payday for many customers, but also two days before the deadline for self-assessment tax returns to be submitted in the U.K.
“Where taxpayers need information from their HSBC account, and they are currently unable to access this they can include an estimate in their return in order to file by 31 January,” a spokesman for HM Revenue and Customs (HMRC) told the BBC. “They have 12 months from the date they file to amend this with the correct information.”
Lieberman Software vice president Jonathan Sander told eSecurity Planet by email that it’s hard to know at this point how concerned to be about the potential impact of the attack. “Often DDoS attacks like this are a distraction technique; bad guys hit you hard on the left so you’re too busy to see them sneak in on the right,” he said. “DDoS attacks where bad guys flood your website with so much work they fold under the pressure aren’t even strictly a security issue on their own. Unless the DDoS is part of a recipe to steal stuff, it’s a nuisance that is more about someone flexing their muscles than doing damage.”
Still, Dave Martin, security expert and director at NSFOCUS IB, said the disruption to online services can be as damaging as a breach. “Damage to brand, loss of revenue and loss of customers due to service disruption often make up the majority of costs when measuring the financial impact of DDoS attacks,” he said. “The costs and technical barriers to execute a DDoS attack continue to decline. And unfortunately, this trend shows no signs of slowing.”
AlienVault senior vice president Richard Kirk said the attack should serve as a reminder that it’s time for cyber security risk to become a regular board-level discussion. “I wonder if the HSBC board, or any bank for that matter, regularly discusses how it should approach preparing and responding to cyber attacks and the growing risk to the business,” he said.
Imperva recently released its Global DDoS Threat Landscape report for Q4 2015, which found a 25.3 percent increase over the previous quarter in the frequency of network layer attacks. U.S.-based websites were the target of 47.6 of all DDoS attacks in Q4 2015, followed by the U.K. at 23.2 percent.
“Most notably, the second half of 2015 saw a surge in the use of DDoS-for-hire services,” Imperva senior digital strategist Igal Zeifman wrote in a blog post examining the findings. “These services let anyone having a PayPal account launch DDoS attacks of medium-to-high volume lasting between 30 and 60 minutes.”
“DDoS-for-hire has been around for a while,” Zeifman added. “However, increased availability of these tools, coupled with media attention and lackluster regulation, recently put this segment on an accelerated growth path. This has led to a surge in the number of DDoS attacks.”