HSBC web host under fire over fuel hack

The external supplier believed to be responsible for managing the areas of HSBC's website vandalised by a hacker this week has been criticised in connection with the incident.

Part of HSBC's UK banking site (www.banking.hsbc.co.uk) was still offline on Friday, following the attack by a hacker called Herbless on Tuesday night. Other European sites were also hit as part of the attack in support of the fuel protest.

An investigation by vnunet.com revealed that the affected sites were managed by UK-based Trans-Enterprise Computer Communications. Phil Baldwin, the company's managing director, said: "We operate under strict non-disclosure agreements and can't comment on any of our clients."

Although HSBC said no customer data was accessed during the attack, because it is stored on different servers, experts said the incident cast doubts over the bank's security policy and is a major embarrassment for HSBC.

Herbless hacked hundreds of websites late last week by exploiting administrators failure to properly configure Microsoft's SQL server software, and he used the same method again to vandalise the HSBC websites. Administrators in all cases failed to change the server administrator password from its default.

Neil Barrett, technical director at Information Risk Management, said: "It's very lax. The delay in upgrading shows a lack of urgency. This is a clarion call for any administrator running SQL server to tighten it up or face the consequences - these range from embarrassment to criminal negligence.

"You can forgive the administrators of the first two or three websites hit by this problem, but it has been widely publicised since then and the rest have no excuse."

Other sites defaced by Herbless include those run by Specsavers and, in August, eight local authority and UK government agencies including Sheffield City Council.

Microsoft has posted a description of how to reconfigure SQL at http://www.microsoft.com/technet/SQL/Technote/secure.asp