HSBC suffers online banking cyber-attack

Bank admits its internet banking facility was made unavailable following a ‘denial of service’ attack, but says no transactions were affected

HSBC customers were locked out of internet banking for several hours on Friday after the company was targeted by online criminals in a denial of service attack.

The bank, which has 17 million personal banking and business customers in the UK, said its website had been attacked, but it had successfully defended its systems. Customers were unable to log into their accounts until late in the afternoon, on what is likely to have been a busy day for online banking, as many employees received their first pay packet of the year.

A denial of service attack overwhelms a website with traffic, taking it offline, and is sometimes used as a smokescreen for other attacks. The bank said there were no indications of customer data theft. It is now working with the government-backed Computer Emergency Response Team, Cert-UK, to pursue the criminals responsible.

News of the cyber-attack broke mid-morning a couple of hours after customers started reporting that they were unable to access their accounts. Shortly before 5pm, John Hackett, HSBC’s UK chief operating officer, said the bank was continuing to experience attempted denial of service attacks and was closely monitoring the situation with the authorities.

“HSBC’s internet and mobile services have partially recovered, and we continue to work to restore a full service,” he said.

“We apologise for the disruption and inconvenience this may have caused.”

Message on HSBC's website
A message to customers on HSBC’s website. Photograph: HSBC website

It is the second time in a month that the bank’s customers have been locked out of online services, although last time the bank said it was not the result of a cyber-attack but a technical issue in HSBC’s systems.

Robert Capps of tech company NuData Security said distributed denial of service attacks [DDoS] were not direct attacks on the accounts held at financial institutions. “They are attacks on the public image and consumer goodwill towards those institutions,” he said. “They are meant to harass, intimidate and embarrass a targeted institution, but the DDoS attacks rarely result in any lasting impact on individual accounts at an institution.”

However, he said the attacks had been used as cover for other activities, such as cyber-heists, at a targeted institution.

“They are sometimes meant to draw away the attention of the information security teams of a financial institution from the real intent of the attacks, such as large value money transfers, or the bulk theft and removal of consumer account data.

“Only time will tell if the HSBC cyber-attack is simply a DDoS attack or a cover for a much more damaging intrusion into their systems.”

Andrew Tyrie MP, chairman of the Treasury committee, said he had recently written to regulators asking them to take action on banks’ IT systems.

“Bank IT systems just don’t seem to be up to the job. This leaves bank customers with a substandard service,” he said.

“Incidents like these are unacceptably frequent, and sometimes serious. Until this is sorted out, the public will remain more exposed than necessary to the risks of IT banking failures, including delays in paying bills, an inability to obtain their own money, and unauthorised access to their accounts.”


Hilary Osborne

The GuardianTramp

Related Content

Article image
Tesco Bank cyber raid 'unprecedented', says financial regulator
FCA chief tells MPs that ‘serious’ theft from 20,000 accounts may be linked via debit card flaw as customers report money transfered to Brazil and Spain

Jill Treanor

08, Nov, 2016 @11:48 AM

Article image
Haunted by shame: victims of bank transfer scams tell of lasting trauma
Fraud can have devastating consequences on victims, and not only financially

Anna Tims

17, Apr, 2021 @8:00 AM

Article image
'I lost £95,000 in a bank scam after my solicitor's email was hacked'
Sally Flood managed to claw two-thirds back, but says lenders should do more to protect customers

Rupert Jones

29, Feb, 2020 @1:00 PM

Article image
Lloyds bank accounts targeted in huge cybercrime attack
Banking group says none of its 20m accounts were hacked or compromised after fending off two-day denial of service attack

Patrick Collinson

23, Jan, 2017 @12:20 PM

Article image
So you think you’re safe doing internet banking?
Britain’s leading expert on cyber security refuses to bank online. We ask if you should follow suit

Miles Brignall

21, Nov, 2015 @6:59 AM

Article image
Fraud soars by 53% in a year as scammers get sophisticated
Financial services providers are launching a national campaign to combat rise in fraud and remind customers to stop and think

Rupert Jones

19, Sep, 2016 @11:01 PM

Article image
HSBC to close 27 more branches across UK this year
Wave of closures announced as more customers switch to online and mobile banking

Rupert Jones

25, Feb, 2020 @1:34 PM

Article image
RBS says NatWest website hit by cyber-attack
Royal Bank of Scotland said its systems had been deliberately targeted

Jill Treanor

06, Dec, 2013 @2:41 PM

Article image
HSBC to close 62 more branches this year, blaming online banking
Branches in London, Bristol and Keswick among planned closures, with 180 jobs to go and more than 200 at risk in IT

Jill Treanor and Patrick Collinson

24, Jan, 2017 @3:14 PM

Article image
Online fraud victims should be better protected, not blamed
All too often banks and cards companies do little to pursue fraudsters, and in many cases seem happy to blame those scammed

Patrick Collinson

31, May, 2016 @4:45 PM