An internet gang claims it used a distributed denial-of-service (DDoS) attack to interrupt services at the Lloyds Banking Group.
The group, which includes Lloyds Bank, Halifax Bank, and the Bank of Scotland, suffered a series of outages on 11-13 January 2017. During that time, customers experienced difficulty logging into their accounts. Some individuals subsequently took to social media to vent their frustration.
One frustrated customer addressed Lloyds Banking Group directly at the time via Twitter, as quoted by BBC News:
“Haven’t been able to access the site or app for over 36 hours now – is anything being done about this?”
The Register reports that Lloyds Banking had no idea what was causing the outages on the first day of the attack. On 12 January, it said services were returning to normal but it was unsure if that would continue.
The round of outages ended in the afternoon on 13 January.
As of this writing, the bank has yet to reveal what caused the service interruptions. A statement sent to Bloomberg reveals as much… or as little:
“We had a normal service in place for the vast majority of this period and only a small number of customers experienced problems. We will not speculate on the cause of these intermittent issues.”
But a pair of individuals claim to know what happened.
On 13 January, the duo reached out to Bleeping Computer.
One of them sent over a link to a Pastebin page containing an email. The email, which the actors claim they sent to Lloyds, explains how the duo found several flaws on the group’s website and that they demanded 100 BTC (approximately US $100,000) in payment as a “consultancy fee.” Otherwise, they would continue to interrupt the bank’s service.
Meanwhile, the second alleged attacker provided a demo illustrating that the pair were behind the outages. They also tweeted about their attacks against the group from a now-dormant Twitter account.
Lloyds has yet to comment on those materials.
Assuming what the pair said is true, by no means would this the first time a group of attackers held a bank (or its data) for ransom. Nor will it be the last.
With that said, the UK National Cyber Security Centre feels it is up to banks to defend themselves. As it told the Financial Times:
“The more information a company shares in a timely manner, the better we are able to support them and prevent others falling victim. But companies ultimately hold responsibility for their cyber security risks — and they should invest appropriately to ensure their networks are secure.”
Organizations can protect themselves against ransom-based attacks with a layered defense, which includes investing in DDoS mitigation technologies and encrypting customers’ sensitive financial information.