HSBC hit by DDoS attack. Online banking is offline

Graham Cluley

Hsbc thumb

HSBCBanking giant HSBC says it has been fighting a distributed denial-of-service attack against its systems this morning, preventing users from accessing their online accounts.

Sure enough, if you visit HSBC UK’s online banking page right now you will be greeted with an apology from the company for the disruption to normal services.

Customers are advised to either wait it out, or to make use of the company’s telephone banking services instead.

Hsbc apology

We’d like to apologise to all our customers for Online Banking being unavailable.
We know how inconvenient this is and we are doing everything we can to rectify the problem.
Please try later.

An HSBC spokesperson has told the media that the company has successfully mitigated against the attack:

“HSBC internet banking came under a denial of service attack this morning, which affected personal banking websites in the UK. HSBC has successfully defended against the attack, and customer transactions were not affected. We are working hard to restore services, and normal service is now being resumed. We apologise for any inconvenience this incident may have caused.”

However, the fact that online banking remains currently inaccessible suggests that recovery is not yet complete.

As yet, there is no clear indication as to what may have motivated criminals to launch an attack against HSBC’s website. It does appear that it is becoming increasingly common for DDoS attackers to attempt to extort money from companies whose websites and online services they have disrupted, although I have not seen any confirmation from the bank as to whether they received a ransom demand or not.

Of course, it’s also possible that the motivation was not financial, but instigated by someone who has a grudge against the bank or, indeed, some kids doing it for a “laugh”.

It should go without saying that distributed denial-of-service attacks are no laughing matter and can result in their perpetrators receiving a stiff prison sentence.

If you bank with HSBC don’t panic. Although it’s irritating that you cannot access your online bank account, a DDoS attack is just disruptive – it doesn’t mean that the security of a website has been breached, or that your personal data might be at risk.

The bank said on Twitter that it is “working closely with law enforcement authorities to pursue the criminals responsible for today’s attack on our internet banking.”

Graham Cluley Graham Cluley is a veteran of the anti-virus industry having worked for a number of security companies since the early 1990s when he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows. Now an independent security analyst, he regularly makes media appearances and is an international public speaker on the topic of computer security, hackers, and online privacy. Follow him on Twitter at @gcluley, or drop him an email.

One Reply to “HSBC hit by DDoS attack. Online banking is offline”

  1. Are you up to speed on Mr Ethical, Graham? See http://nicholaswilson.com/ Maybe its someone who has a grudge against HSBC (not him!)

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Never miss a thing. Sign up for the free GCHQ newsletter from Graham Cluley.
GET EMAIL UPDATES