UK banks under constant cyber-attack but don't report incidents

Officially, there have been 75 cyber-attacks on UK banks in 2016, up from 2014 when only five attacks on financial institutions had been reported.

The real number, is much larger, it's been claimed, but banks do not report the breaches fearing bad publicity and punishment.

According to Shlomo Touboul, CEO of Israeli-based cyber-security firm Illusive Networks, financial institutions are under a constant cyber-siege. A single financial institution may experience as many as 2 billion attacks a month, which include emails containing malicious code received by employees.

Only about 200 attacks a month are serious but most banks don’t report the incidents as they are not legally obliged to do so.

“There is a grey area...Banks are in general fulfilling their legal obligations but there is also a moral requirement to warn customers of potential losses and to share information with the industry,” said Ryan Rubin, UK managing director, security & privacy at consultant Protiviti.

Cyber-security researchers say that not reporting incidents has negative consequences as valuable lessons are not being learned.

“Banks are dramatically under-reporting attacks, they do what’s legally required but out of embarrassment or fear of punishment they aren’t giving the whole picture,” an unnamed source familiar with the situation told Reuters.

Barclays chief information security officer Troels Oerting, previously head of Europol’s Cyber Crime Unit, said, however, that the situation is slowly improving.

Apart from Barclays, other major British banks all declined to comment on their disclosures, Reuters said.

“Our customers sometimes detect attacks but don’t tell us,” Touboul, whose firm helps protect banks’ SWIFT payment networks by luring attackers to decoy systems, said.

A recent attack on the global interbank money transfer service SWIFT resulted in a loss of $81m in what has been described as one of the largest reported cyber-heists to date.

Targeted attacks, in which organised criminals penetrate bank systems then lurk for months to identify and profile key executives and accounts, are becoming more common, David Ferbrache, technical director Cybersecurity at KPMG and former head of cyber and space at the UK Ministry of Defence, said.

“The lesson of the SWIFT attack is that the global banking system is heavily interconnected and dependent on the trust and security of component members, so more diligence in controls and more information sharing is vital,” Ferbrache said.

According to Yuri Frayman, CEO of Los Angeles-based cyber-security provider Zenedge, banks are spending up to $500m a year to beef up their cyber-defences, but vulnerabilities still remain. 

“There are still vulnerabilities in their supply chains and in executives’ home networks, and organised crime groups are shifting their focus accordingly,” Frayman said.