British banks and market infrastructures have come under attack in the past months, revealing vulnerabilities in their systems, according to a Bank of England report
The computing infrastructure of UK banks and markets have come under attack in the past six months, revealing vulnerabilities that could potentially lead to “significant” losses across the banking industry, the Bank of England (BoE) has revealed.
The disclosure appeared in the bank’s Financial Stability Report, in a section titled “Short-term risks to financial stability”. The attacks, which appear not to have been previously disclosed outside of the financial sector, caused disruption to banking services, according to the report.
“Cyber attack has continued to threaten to disrupt the financial system. In the past six months, several UK banks and financial market infrastructures have experienced cyber attacks, some of which have disrupted services,” the Bank of England stated in the report.
“While losses have been small relative to UK banks’ operational risk capital requirements, they have revealed vulnerabilities,” the report stated. “If these vulnerabilities were exploited to disrupt services, then the cost to the financial system could be significant and borne by a large number of institutions.”
The financial system is susceptible to attack due to its “high degree of interconnectedness, reliance on centralised market infrastructure and sometimes complex legacy IT systems”, acording to the report.
No further information is to be disclosed on the attacks or the vulnerabilities in question, according to the BoE. However, the bank added that in response to the incidents work has been carried out to “assess, test and improve the financial system’s resilience to cyber attack”.
This includes the Waking Shark 2 exercise carried out in London last month, which tested how banks, law enforcement and industry groups including the Bank of England would react to hacker attempts on their communications infrastructure.
Around 100 people took part, as cyber attack scenarios are thrown out to the separate teams. A report is to be published in early 2014. The operation follows the original Waking Shark tests from 2011, which looked at attacks surrounding the 2012 Olympic Games. An 11 December meeting is scheduled for deciding on the scope and date of a follow-up exercise.
That testing focused on attacks to communications infrastructure, such as denial-of-service attacks, rather than data breach-style scenarios.
Peter Armstrong, director of cyber security at Thales UK, said the financial system’s vulnerable state comes as “little surprise”.
“A holistic approach designed to tightly integrate cyber defences with processes, people and physical measures is crucial to ensure financial organisations are protected against the latest evolution of threat and attack vectors,” he said in a statement provided to TechWeekEurope UK.
Santander, Barlcays hit
Though the attack does not apparently fit with the type of incident described in the BoE report, Barclays was robbed of £1.3 million in a high-profile incident earlier this year by criminals using a KVM (keyboard, video and mouse) device attached to a 3G router in a North London branch.
A similar attack was attempted on a Santander branch at the Surrey Quays shopping centre in September.
Security firms have noted that attacks using the Citadel malware have been on the rise since April of this year. Citadel works by installing code that can steal usernames and passwords.
Are you a security pro? Try our quiz!