If ever proof were needed that hacking is still an ongoing and persistent threat and that every business needs to beef up its defences against cyber-attack, then the experiences of Royal Bank of Scotland Group should serve as a salutary lesson for every organisation. Already unpopular for numerous well-documented reasons, RBS and Nat West took further hits to their reputations last week when their websites crashed following yet another DDoS cyber-attack, leaving thousands of customers unable to access funds in their accounts. These customers may well have been prepared to give RBS Group the benefit of the doubt had the cyber-attack been an isolated occurrence; however, last week’s attacks were just the latest in a series of IT disasters to have affected the Group over the course of the last 18 months.
In spite of earlier denials, the bank has now confirmed that its systems were deliberately targeted by a DDoS attack. The cyber-attack hit while the 81 per cent taxpayer-owned bank was still handling the fallout from an earlier unrelated cyber-attack. In a statement to the press, the bank said: “Due to a surge in internet traffic deliberately directed at the NatWest website, customers experienced difficulties accessing some of our customer websites today. This deliberate surge of traffic is commonly known as a distributed denial of service (DDoS) attack. We have taken the appropriate action to restore the affected websites.”
The attack is the latest computer problem to hit the bank in 18 months. A botched software upgrade in June 2012 left RBS with a £175m bill for compensation for up to 13 million customers. Ulster Bank’s customers were inconvenienced for more than a month while some NatWest and RBS customers experienced difficulties for about 10 days.
If there is any comfort to be had, it is that RBS is not alone. Thousands of businesses are regularly targeted by hackers in an attempt to steal valuable information and data. Neither is RBS Group the only banking organisation to have been deliberately targeted. US banks, such as Citigroup and Bank of America, are also reported to have been the victims of similar attacks, which target high-profile institutions in order to cause the maximum disruption. Last week JP Morgan, the biggest US bank, said it had been hit by a different type of cyber-attack, warning 465,000 cash card customers that their personal information by have been accessed by hackers.
RBS has apologised for the latest problem, but insisted it was unrelated to a systems meltdown earlier the same week which lasted for three hours and resulted in millions of people being denied access to cash and left unable to make payments. RBS, moreover, insisted that there was no risk to customers at any point when its NatWest online service was targeted. The problem was largely fixed in just over half an hour but had a knock-on effect on other websites operated by the bailed out bank, including RBS.
City regulators have naturally been concerned about the security of banks’ IT systems and last month conducted a “war game” stimulation of an attack on financial markets. A denial of service attack is said to have been among the scenarios the 100 or so banks and financial services firms played out in the so-called Waking Shark II exercise.
The bank has now earmarked £450m for upgrading its IT systems, which were developed when RBS bought NatWest in 2000. Union leaders had blamed cost-cutting for Monday’s problems, while Ross McEwan, the bank’s new chief executive, blamed decades of under-investment in IT. However, the majority of security experts are agreed that the problem can be largely blamed on an under-investment in reliable cyber-defences, vulnerability assessments and security testing.
KRYPSYS’ services are focused on helping your company assess its security posture against such security threats and advising you on the risks to which it is exposed. We have a wealth of experience in security projects in both the public and private sectors and have worked with organisations to protect high value information assets such as trading platforms, e-commerce systems, data-centres and cloud services. We also work with leading IT security vendors and specialist consultancies to close the gaps in a business’ IT security strategy and to assist in streamlining and prioritising its risk management spending.
If you would like to find out how these solutions could help you protect your business from cyber-attacks and optimise your web applications, please contact Krypsys on 0845 474 3031.