HSBC hit by DDoS attack, Online Banking offline

One of the largest banking and financial services institutions in the world, HSBC, was hit by a distributed denial of service (DDoS) attack this morning.

It resulted in the company's banking website being offline, and its customers unable to access its services. The Online Banking website is currently displaying this message:

“We’d like to apologise to all our customers for Online Banking being unavailable. We know how inconvenient this is and we are doing everything we can to rectify the problem. Please try later.”

A HSBC spokesperson told The Independent that it has been hit by a DDoS attack, but that customer transactions were not affected.

“HSBC internet banking came under a denial of service attack this morning, which affected personal banking websites in the UK," she said. "HSBC has successfully defended against the attack, and customer transactions were not affected. We are working hard to restore services, and normal service is now being resumed."

The source of the attack was not disclosed, and no hacking group has yet claimed responsibility for the attack.

A distributed denial of service (DDoS) attack works by flooding the website with traffic from thousands of infected machines all around the world, which create what’s known as the botnet.

With such a large amount of traffic coming in at the same time, the site is unable to process new requests and thus crashes.

More often than not, hackers behind the DDoS attack ask for money, usually in Bitcoin, in order to stop the attack.

Industry reaction

Richard Brown, Director EMEA Channels & Alliances at Arbor Networks:

"With financial institutions underpinning whole economies, they’re a particularly choice target vertical for impactful attack. Add to this the fact that it’s payday for many people – meaning more people trying to access the website and therefore a bigger audience – HSBC is an ideal target.

"HSBC will have to ensure that the attack was not used as a ‘smokescreen’, drawing the IT department’s attention towards this event while sensitive data is stolen or malware is implanted in the network."

Justin Harvey, CSO at Fidelis Cybersecurity:

“HSBC has done the right thing by announcing to customers that it has been targeted by a DDoS attack, it’s just unfortunate that the attack has happened on a date that will disrupt so many users of the online service. Spreading awareness about these types of attacks and reporting them to the authorities is the best way for data to be gathered on an attack which can help track down the culprits and bring cybercriminals to justice.

“While any organisation can be targeted with a DDoS attack, there are some guidelines that can be followed to mitigate the impact. Strong external network-facing access control lists (ACLs) should be instituted to keep out-of-profile traffic off services, robust monitoring should be put in place to identify these types of attacks in their early stages, and high-risk organisations should oversubscribe their network bandwidth to better absorb the brunt of inbound DDoS attacks. The upstream ISP should also be notified to place mitigations on their connected devices to protect networks.”

Dave Larson, Chief Operating officer at Corero Network Security:

"Large financial institutions historically, and rightfully so, spend large amounts of money building sophisticated security perimeters for protection against cyber-attacks. Clearly, the financial industry is a high profile target for DDoS attacks, with techniques ranging from botnets to brute force attack campaigns to low bandwidth, sophisticated application-layer attack mechanisms. Unfortunately, legacy security defenses are not adequate to defeat this type of cyber attack. The confirmed DDoS attack and subsequent outage against HSBC’s online banking portal further confirm this.

"Online organisations need to take a closer look at the problem of business disruption resulting from the external DDoS attacks that every organisation is unavoidably exposed to when they connect to an unsecured or 'raw' Internet feed. Automatic, in-line DDoS mitigation negates the flood of attack traffic at the Internet edge, eliminating service outages and potential subsequent, and more malicious data breach activity.”

Tim Erlin, director of security and risk at Tripwire:

“Financial institutions, including banks, are often at the forefront of data security practices and technologies. They have to be because they are the most targeted organisations. Information security is an arms race, where both sides have to evolve to survive.

"It’s important to understand that these types of attacks are run by organised crime. There are sophisticated groups behind them, with skills, resources and the objective of profit.”