Twenty banks (some suffering repeated outages), six countries (one in lockdown), five continents, tens of millions of unhappy customers.
There’s never a good time for your bank’s IT system to go down. But few can be worse than in the middle of a lockdown. It’s difficult to leave home, your local branch may not be open, and as a result you are more reliant than ever on digital banking services. In New Zealand, now in its seventh week of nationwide lockdown, one of the country’s largest lenders, Kiwibank, went down on Tuesday, leaving many of its customers in the lurch. It is one of a string of IT outages the bank has suffered over the past three weeks, after a DDoS attack on New Zealand’s third largest Internet provider caused IT crashes at a number of lenders, including Commonwealth Bank and Anz Bank.
In a DDoS attack hackers overwhelm a site by getting huge numbers of bots to connect to it all at once, rendering it inaccessible. Servers are not breached, data is not stolen but it can still cause plenty of disruption.
24 Million Unhappy Customers
New Zealand is not the only country to have suffered major outages within its banking system in recent weeks. Other countries include the UK, Japan, South Africa, Venezuela and Mexico, though there are no doubt more (if you know of any, It would be great if you could provide details in the comments section).
On September 12, operating failures at Mexico’s largest bank, BBVA Mexico, left 24 million account holders unable to use the bank’s 13,000 ATMs, its mobile app or in-store payments for almost 20 hours. It being a Sunday, customers could not even avail of the lender’s in-branch cash services. The bank blamed the outage on a system update failure and has offered to compensate customers with cash bonuses on purchases when using their credit or debit cards. The bank was also at pains to assure them that their financial data was not compromised.
“It had nothing to do with the outside world,” said Jorge Terrazas, the bank’s director of communicate and corporate identity. “The bank and its customers’ information is secure. What we did was undo the changes to the system and return everything to as it was.”
Less than a week after BBVA’s outage, Santander Mexico, another Spanish-owned Mexican bank, suffered an outage that left customers across the country unable to use their debit cards at the ATM or in stores. Again, it was blamed on internal problems.
In recent years, Mexico has become an important market for stolen data — enough to earn it eighth place in the world in terms of identity theft, according to the country’s central bank, Banco de Mexico (Banxico for short). This is partly a result of the widespread impunity cyber criminals enjoy in the country, due to the lack of enforcement of existing laws and the absence of adequate legal tools. Cyber theft in Mexico is not just the preserve of isolated basement-dwelling hackers but also highly professional criminal organizations.
Even Banxico’s SPEI interbank transfer system, an iteration of the SWIFT global payment system, has been the target of digital heists, as WIRED reports:
In January 2018 a group of hackers, now thought to be working for the North Korean state-sponsored group Lazarus, tried to steal $110 million from the Mexican commercial bank Bancomext. That effort failed. But just a few months later, a smaller yet still elaborate series of attacks allowed hackers to siphon off 300 to 400 million pesos, or roughly $15 to $20 million from Mexican banks. [Click here to read how they did it].
Since then Mexican banks have suffered repeated outages, one of the biggest of which took place during last year’s “Buen Fin”, an annual nationwide shopping event inspired by Black Friday. The online banking websites and mobile apps of many of the country’s major banks, including BBVA and Citibanamex collapsed on the same day, leaving many customers unable to complete their purchases.
“A Growing Trend”
In the UK the Financial Conduct Authority has been “deeply concerned” about the increasing number of technology outages for a number of years. At the FCA’s annual public meeting in 2019, the regulator’s executive director of supervision, Megan Butler, said the number of incidents of “operation resilience breaks” reported in terms of IT failings had increased 300% year-on-year. And this, she said, would probably be “a growing trend,” though it is partly due to the rise in reporting of events.
On July 22 this year, the websites of six large banks and building societies — Lloyds, HSBC, TESCO Bank, Bank of Scotland, Halifax and Barclays — were brought down by a global Internet outage allegedly caused by a botched software update at hosting service Akamai. Less than a month later, the apps of five lenders and building societies — Natwest, TESCO Bank, TSB, Santander UK and Halifax — all went down over a period of just a few days. The outage, apparently triggered by a problem with US payments company TSYS, left consumers unable to access their credit card services and account information. Since then, HSBC, Barclays Bank and the Cooperative Bank have all suffered brief outages.
Continue reading on Naked Capitalism