Schrodinger’s Hack – or How HSBC Was(n’t) Hacked

When a bank is hacked it can quickly generate extensive news coverage. However, recent events have shown that even when a bank isn’t hacked it can still generate significant column inches.

So, considering the implications of the recent attack on HSBC – and others like it – what can organisations do if they find themselves in a similar situation?

Responding to an incident

For anyone not privy to the inner workings of an incident response, it’s a complex affair. A notification will arrive, when a threshold has been reached, and stakeholders will be engaged. Pressure will quickly mount, and teams will activate internal plans and follow technical playbooks designed to limit any losses to their organisation - this will reduce the impact and locate the first infection or entry point. Separately, efforts to control the narrative – limiting potential reputational damage – will take place, involving business leaders and executives.  

In reality though, some boards and employees will only find out about a successful attack on their organisation if an external party informs them. So, when a threat actor recently made a claim that they had compromised the systems of HSBC USA by posting about it on the dark web, with “evidence” of compromised Personally Identifiable Information (PII), it stands to reason that comparable internal processes to those described above were activated at HSBC.  

Addressing concerns swiftly

In fact, it emerged that this is exactly what HSBC chose to do. They issued the following statement to address concerns raised by customers and third parties.  

“The claims made by this threat actor are false. HSBC conducted a thorough investigation and reviewed the sample data set posted by the threat actor. We have determined that the sample does not comprise legitimate HSBC customer data and that the sample data did not originate from any breach of HSBC systems or those of any of our service providers. There is no indication any HSBC customer data has been exposed.”

Formal statement issued by HSBC to TEISS  

In recent years, we have seen systematic attacks on institutions and governments, and attempts to undermine democratic institutions and civil society, typically executed by other nation states or by threat actors sponsored by nation states. In fact, the UK Foreign Affairs Committee, realising the seriousness of these threats, earlier this year highlighted the issue, stating that “disinformation is recognised as a key threat to Nation States and international bodies alike.”

So, how should the HSBC incident be viewed?  

Well, what happened to HSBC was an attack. It was not an attack that involved a physical or digital intrusion into a network, system, or data, but it was an attack all the same. It was an assault on the reputation of the organisation and an attempt to spread targeted disinformation with the aim of causing harm, disrupting business operations, diverting resources, and undermining trust.  

Our recent online webinar (“The Art of the Hack”) shone a light on the motivation of attackers like these. Gaining a reputation in the hacking community is one element, along with the possibility that the HSBC USA attack was actually a proof of concept or demonstration of capability for future attacks, focused on direct financial gain.  

Key takeaways from the attack

1. Organisations must take these attacks seriously

The significant role that private organisations play in society cannot be understated, and while government institutions may demonstrate toughened perimeters, threat actors can get good returns on their invested time and energies if they can attack critical or significant private sector organisations.

2. Organisations must plan for these attacks  

This type of attack is set to grow, and a Gartner report has predicted that enterprise spending on battling misinformation and disinformation will surpass $30 billion by 2028. Technology makes these types of attacks easier to execute effectively, at scale, and in conjunction with other types of traditional cybersecurity attacks. The reduction in oversight teams in certain key organisations makes disinformation efforts much harder to shut down via platform-based policing mechanisms.

3. Organisations must ensure they can respond to attacks at speed

Where “delay is the deadliest form of denial” any delay in countering unsubstantiated claims risks being misinterpreted. Combined with the innate human habit of liking, sharing, and spreading bad news (often on social media platforms), this becomes a recipe for an algorithmically driven disaster.  

4. Threat intelligence, if used properly, can be an effective early warning mechanism

Being able to collate, manage, and assess data from multiple sources is fundamental to the success of any cybersecurity team. Effective analysis of data allows organisations to spend their efforts shaping their controls, defences, and mechanisms.

These attacks will increase

Disinformation results in fear, uncertainty and doubt - and indications are that attacks will increase in effectiveness and scale. It can’t be too farfetched to predict that, not only will significant cyberattacks continue to result in business fallings, but also that disinformation campaigns could result in significant share price volatility, contribute to business failings, monetary losses, and economic harm. Businesses have an obligation to be able to launch robust responses to this growing threat.