HSBC hit by DDoS attack. Online banking is offline

Graham Cluley
Graham Cluley
@[email protected]

HSBCBanking giant HSBC says it has been fighting a distributed denial-of-service attack against its systems this morning, preventing users from accessing their online accounts.

Sure enough, if you visit HSBC UK’s online banking page right now you will be greeted with an apology from the company for the disruption to normal services.

Customers are advised to either wait it out, or to make use of the company’s telephone banking services instead.

Hsbc apology

Sign up to our free newsletter.
Security news, advice, and tips.

We’d like to apologise to all our customers for Online Banking being unavailable.
We know how inconvenient this is and we are doing everything we can to rectify the problem.
Please try later.

An HSBC spokesperson has told the media that the company has successfully mitigated against the attack:

“HSBC internet banking came under a denial of service attack this morning, which affected personal banking websites in the UK. HSBC has successfully defended against the attack, and customer transactions were not affected. We are working hard to restore services, and normal service is now being resumed. We apologise for any inconvenience this incident may have caused.”

However, the fact that online banking remains currently inaccessible suggests that recovery is not yet complete.

As yet, there is no clear indication as to what may have motivated criminals to launch an attack against HSBC’s website. It does appear that it is becoming increasingly common for DDoS attackers to attempt to extort money from companies whose websites and online services they have disrupted, although I have not seen any confirmation from the bank as to whether they received a ransom demand or not.

Of course, it’s also possible that the motivation was not financial, but instigated by someone who has a grudge against the bank or, indeed, some kids doing it for a “laugh”.

It should go without saying that distributed denial-of-service attacks are no laughing matter and can result in their perpetrators receiving a stiff prison sentence.

If you bank with HSBC don’t panic. Although it’s irritating that you cannot access your online bank account, a DDoS attack is just disruptive – it doesn’t mean that the security of a website has been breached, or that your personal data might be at risk.

The bank said on Twitter that it is “working closely with law enforcement authorities to pursue the criminals responsible for today’s attack on our internet banking.”

Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "Smashing Security" podcast. Follow him on Twitter, Mastodon, Threads, Bluesky, or drop him an email.

One comment on “HSBC hit by DDoS attack. Online banking is offline”

  1. Chris Webb

    Are you up to speed on Mr Ethical, Graham? See Maybe its someone who has a grudge against HSBC (not him!)

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.