HSBC UK this morning was the target of a DDoS attack that flooded the financial institution's systems with manufactured traffic, much to the dismay of online banking customers who were unable to access and manage their accounts.
The Twitter page for HSBC UK first showed indications of an incident around 11 a.m. GMT (6 a.m. ET), with a Tweet stating: “HSBC UK internet banking was attacked this morning. We successfully defended our systems.” However, hours after that post, the company was still urging customers to visit local branches for urgent transactions. Only after 9 p.m. GMT did the bank finally announce: “HSBC internet and mobile banking are now fully recovered.”
At least one HSBC customer on Twitter expressed confusion with the seemingly mixed messages: “So the inability to log in at all for the last 4hrs is you ‘successfully' defending a DDoS? Nice one,” the frustrated user wrote.
HSBC UK sent SCMagazine.com an official statement:“HSBC internet banking came under a denial of service attack this morning, which affected personal banking websites in the UK. HSBC has successfully defended against the attack, and customer transactions were not affected. We are working hard to restore normal service. HSBC is working closely with law enforcement authorities to pursue the criminals responsible for today's attack on our internet banking. We apologise for any inconvenience this incident may have caused.”
The cyberattack only compounds customer frustrations after the company earlier this month suffered an unrelated IT systems technical issue that prevented customers from logging on, reported BBC News.
This latest attack comes on the heels of Kaspersky Lab releasing its Q4 Kaspersky DDoS Intelligence Report, which warns that cybercriminals are seeking out new threat vectors including CCTV cameras and other IoT devices, as well as NETBIOS name servers for reflection DDoS attacks.
Experts are well aware of how DDoS is evolving, and how companies are responding in kind. “Companies have fully accepted the risk from cyberattacks, and in an effort to defend their customers, they may try things like bulking up on multiple layers of defense,” said Bill Barry, executive vice president of global strategy at DDoS defense firm Nexusguard. However, he warned, “An over-aggressive defense posture that blocks legitimate traffic ironically helps compete the goal of the original intent: denial of service.”
Barry speculated that tighter restrictions placed on HSBC's traffic rules and policies in the immediate aftermath of the attack may have been the reason that certain customers still could not access the HSBC website, even if systems were technically back up and running. “In some instances you have a mentality of ‘Let's sacrifice a few to save the whole,'” explained Barry.
Dave Martin, a security expert and director at network security and analytics provider NSFOCUS IB, suggested that HSBC's servers “were probably busy handling a surge of requests from legitimate users once the service was restored… This high utilization can cause delays until the number of user requests reaches a level that can be handled by the servers and supporting infrastructure.”
What isn't clear yet is how financially damaging the attack was to HSBC. “Damage to brand, loss of revenue and loss of customers due to service disruption often make up the majority of costs when measuring the financial impact of DDoS attacks,” said Martin.
Meanwhile, “The costs and technical barriers to execute a DDoS attack continue to decline. And unfortunately, this trend shows no signs of slowing.”