HSBC claimed the outage was the result of a Distributed Denial of Service (DDoS) attack, and then claimed to have “successfully defended our systems” after hours of outages. The purpose of a DDoS attack being to cause outages, some customers were a touch skeptical about the word “successfully.”
@HSBC_UK So the inability to log in at all for the last 4hrs is you "successfully" defending a DDoS? Nice one.
— det (@detobate) January 29, 2016
A Distributed Denial of Service attack is, in its essence, a massive amount of traffic sent the way of a particular website or server, with the intention of crashing it. These attacks cannot, and are not intended to, reveal the personal information of users: all they can do is take a site offline.
DDoS attacks are typically carried out by botnets, massive armies of computers infected by malware. Would-be attackers who control a botnet can send an instant surge of traffic toward their targets in the hopes of causing an outage.
And today the bank was already dealing with above-average traffic: the end of January is when freelance workers in the U.K. need to file their self assessment taxes. This means around 10 million self-employed people were rummaging through their finances. For many it’s also the first payday of 2016, another reason people might be logging into their bank’s website or app.
Days like this, when a given website is already dealing with above-average traffic, give would-be DDoS attackers primed targets.
HSBC said on Twitter that it is “working closely with law enforcement authorities to pursue the criminals responsible for today’s attack on our Internet banking,” before encouraging customers still experiencing problems to visit a local branch to complete transactions in person.
The company also promised to waive any fees caused by the outage, which should be at least a little comfort to customers who face a late night of number-crunching.
