HSBC's UK internet site and three of its international sites have been hacked as part of an ongoing campaign in support of the fuel protest.
vnunet.com, 20 Sep 2000
HSBC's UK internet site and three of its international sites have been hacked as part of an ongoing campaign in support of the fuel protest.
The bank said no customer data was accessed during the attack because it is stored on different servers. However, experts said the incident casts doubts over the company's security policy.
Herbless, the hacker who carried out the attack, told vnunet.com that he had not accessed or tried to access any customer data. "I didn't access customer data. I didn't undertake any research into whether or not I could have access[ed] said data," Herbless said in an email to vnunet.com.
HSBC's Greek and Spanish sites and one other, British Arab Commercial Bank, were also hit during the attack last night.
The hack included a statement in support of the fuel protestors and a photograph of UK Prime Minister Tony Blair with a speech bubble saying: "Listen to Herbless. He talks sense."
MORE COVERAGE:
While previous hacks have been easy to fix, HSBC has taken time to recover from the attack. At 10am BST Wednesday, none of the hacked sites could be viewed normally, with each showing a DNS error message when the URL was typed into a web browser.
Herbless hacked hundreds of websites late last week by exploiting administrators failure to properly configure their SQL server, and he appears to have used the same method again.
Paul Rogers, network security analyst at security consultancy MIS, said: "Again Herbless has used the Microsoft SQL server issue to gain access to HSBC's web server. Because all the affected domains were based on the same box, he was able to modify all their front pages."
Rogers said that there is a "definite risk" that other data could have been compromised in the attack. "It depends on how the network is designed and what security policies are implemented within the HSBC website network."
He said the attack is very embarrassing for HSBC. "Internet banking has had bad press recently. It's not good for customer confidence. From a common sense point of view, if it's what we think then I'm very surprised that due to the publicity surrounding this issue that this hole wasn't closed earlier."
"Security can never be 100 per cent, but you try for 95 per cent. It seems certain procedures at HSBC are a bit lax," he added.
This fresh attack marks a step up in the complexity of Herbless' 'hacktivism'. During the past month, Herbless has taken advantage of an administrator error in the initial configuration of SQL server to deface more than 450 UK corporate, local government and government agency websites.
Additional reporting by Ian Lynch and Andrew Craig.
Experts have cast doubt on HSBC's explanation that a software fault caused the computer glitch that left customers stranded for most of Monday.
The main websites of both the US Republican and Democratic parties were broken into just as the country's citizens were preparing to cast their votes for the next president.
Details of thousands of credit cards were left temporarily exposed on the internet by a UK video retailer after it upgraded its website 10 days ago.
Think-tank the Foundation for Information Policy Research today launched a scathing attack on the UK's internet banks.
First Looks Editor Ian Williams gets hands on with the Sony Ericsson Xperia X1
Google's announcement this week that it plans to step into...
Do you agree?
Have your say on this article