Top Banks Offer New DDoS DetailsCiti, Chase Among Banks Reporting Attacks in SEC Filings
Increasingly, U.S. banking institutions are reluctant to acknowledge - much less discuss - the ongoing distributed-denial-of-service attacks against their online services. Perhaps that's because they're concerned that consumers will panic or that revealing too much about the attacks could give hacktivists information they could use to enhance their DDoS abilities. But in recent regulatory statements, the nation's largest banks are candid about DDoS attacks and their impact.
In their annual 10-K earnings reports, filed with the Securities and Exchange Commission, seven of the nation's top 10 financial services institutions provide new details about the DDoS attacks they suffered in 2012.
In its report, Citigroup even acknowledges that DDoS attacks have led to unspecified losses.
Citigroup, which filed its 10-K report March 1, notes: "In 2012, Citi and other U.S. financial institutions experienced distributed-denial-of-service attacks which were intended to disrupt consumer online banking services. While Citi's monitoring and protection services were able to detect and respond to these incidents before they became significant, they still resulted in certain limited losses in some instances as well as increases in expenditures to monitor against the threat of similar future cyber-incidents."
The bank also points out that these attacks are being waged by powerful adversaries. "Citi's computer systems, software and networks are subject to ongoing cyber-incidents, such as unauthorized access; loss or destruction of data (including confidential client information); account takeovers; unavailability of service; computer viruses or other malicious code; cyber-attacks; and other events," Citi states. "Additional challenges are posed by external extremist parties, including foreign state actors, in some circumstances as a means to promote political ends."
When contacted by BankInfoSecurity, Citi and other institutions did not comment further about DDoS attacks or the information in the 10-K reports.
These banks, as well as other U.S. financial institutions, are now in the midst of the third wave of DDoS attacks attributed to the hacktivist group Izz ad-Din al-Qassam Cyber Fighters - a group that has claimed since September that its attacks are being waged to protest a YouTube movie trailer deemed offensive to Muslims.
In their 10-K reports, Citi, as well as JPMorgan Chase & Co., Bank of America, Goldman Sachs Group, U.S. Bancorp, HSBC North America and Capital One acknowledge suffering from increased cyber-activity, with some specifically calling out DDoS as an emerging and ongoing threat.
HSBC North America, in its 10-K report filed March 4, notes the global impact of DDoS on its customer base.
"During 2012, HSBC was subjected to several 'denial of service' attacks on our external facing websites across Latin America, Asia and North America," the bank states. "One of these attacks affected several geographical regions for a number of hours; there was limited effect from the other attacks with services maintained. We did not experience any loss of data as a result of these attacks."
And U.S. Bank, in its 10-K filed Jan. 15, describes DDoS attacks as "technically sophisticated and well-resourced."
"The company and several other financial institutions in the United States have recently experienced attacks from technically sophisticated and well-resourced third parties that were intended to disrupt normal business activities by making internet banking systems inaccessible to customers for extended periods," U.S. Bank reports. "These 'denial-of-service' attacks have not breached the company's data security systems, but require substantial resources to defend and may affect customer satisfaction and behavior."
U.S. Bank reports no specific losses attributed to DDoS, but it states: "Attack attempts on the company's computer systems are increasing, and the company continues to develop and enhance its controls and processes to protect against these attempts."
Other DDoS Comments
Here is what the other institutions reported about DDoS attacks suffered in 2012:
- Chase: "The firm and several other U.S. financial institutions continue to experience significant distributed denial-of-service attacks from technically sophisticated and well-resourced third parties which are intended to disrupt consumer online banking services. The firm has also experienced other attempts to breach the security of the firm's systems and data. These cyber-attacks have not, to date, resulted in any material disruption of the firm's operations, material harm to the firm's customers, and have not had a material adverse effect on the firm's results of operations."
- BofA: "Our websites have been subject to a series of distributed denial of service cybersecurity incidents. Although these incidents have not had a material impact on Bank of America, nor have they resulted in unauthorized access to our or our customers' confidential, proprietary or other information, because of our prominence, we believe that such incidents may continue. Although to date we have not experienced any material losses relating to cyber-attacks or other information security breaches, there can be no assurance that we will not suffer such losses in the future."
- CapOne: "Capital One and other U.S. financial services providers were targeted recently on several occasions with distributed denial-of-service attacks from sophisticated third parties. On at least one occasion, these attacks successfully disrupted consumer online banking services for a period of time. If these attacks are successful, or if customers are unable to access their accounts online for other reasons, it could adversely impact our ability to service customer accounts or loans, complete financial transactions for our customers or otherwise operate any of our businesses or services online. In addition, a breach or attack affecting one of our third-party service providers or partners could impact us through no fault of our own. Because the methods and techniques employed by perpetrators of fraud and others to attack, disable, degrade or sabotage platforms, systems and applications change frequently and often are not fully recognized or understood until after they have been launched, we and our third-party service providers and partners may be unable to anticipate certain attack methods in order to implement effective preventative measures. Should a cyber-attack against us succeed on any material scale, market perception of the effectiveness of our security measures could be harmed, and we could face the aforementioned risks. Though we have insurance against some cyber-risks and attacks, it may not be sufficient to offset the impact of a material loss event."
No Mentions of Attacks
Among the top 10, the only institutions that do not specifically reference DDoS in their 10-K reports are Morgan Stanley, Bank of NY Mellon and Wells Fargo, a bank that has recently suffered significant online outages.
Wells Fargo, does, however, note DDoS activity in its annual report to shareholders. "Wells Fargo and reportedly other financial institutions have been the target of various denial-of-service or other cyber attacks as part of what appears to be a coordinated effort to disrupt the operations of financial institutions and potentially test their cybersecurity in advance of future and more advanced cyber attacks," the bank reports. "To date, Wells Fargo has not experienced any material losses relating to these or other cyber attacks. Cybersecurity and the continued development and enhancement of our controls, processes and systems to protect our networks, computers, software, and data from attack, damage or unauthorized access remain a priority for Wells Fargo."
The bank goes on to say that as cyber-threats continue to evolve, it may have to invest additional resources toward modifying or enhancing protective measures, as well as enhancing resources put toward investigating and remediating information-security vulnerabilities.
Wells Fargo spokeswoman Sara Hawkins tells BankInfoSecurity that the bank's online and mobile-banking channels were inaccessible for portions of the day on April 4, when it saw "an unusually high volume of website and mobile traffic ... which we believe is a denial of service attack."
Doug Johnson, who oversees risk management policy for the American Bankers Association, says banking institutions are required to report all suspicious cyber-activity either through their filings with the SEC or in the Suspicious Activity Reports to the Financial Crimes Enforcement Network, a bureau of the U.S. Department of the Treasury.
All financial institutions, regardless of size, must report SARs to FinCEN, an agency that collects, analyzes and shares financial intelligence. However, only companies with more than $10 million in assets are required to file reports with the SEC.
Banking institutions are required to report cyber-attacks in their SEC filings, Johnson says.
"Online banking platforms, obviously, are extremely important to banking retail consumers, and so that would be one of those systems which would be very important to report on a suspicious activity report," Johnson says. "One thing that is also very important to do is to go and have that conversation with your primary federal regulator, at the field level, to find out what you would do, as an institution, for generalized security breach reporting."
Breach reporting requirements vary from state to state, Johnson adds.