New SEC Filings Show Impact Of DDoS Campaign On Banks

By | April 15, 2013

Posted in: Banking DDoS Protection

Normally tight-lipped about alleged cyber threats, new SEC filings by some of the nation’s largest banks show how recent Distributed Denial of Service (DDoS) attacks have made an impact.

JP Morgan Chase, Citigroup, US Bancorp, Capital One and Goldman Sachs, revealed that they were, in fact, subject to repeated DDoS attacks during the course of 2012. In 2011, the SEC began mandating that all public companies disclose cyber attacks in an effort to “elicit disclosure of timely, comprehensive, and accurate information about risks and events that a reasonable investor would consider important to an investment decision.”

Goldman Sachs in their March 1st 10-K [PDF] filing, said that they “are regularly the target of attempted cyber attacks, including denial-of-service attack.” As did JPMorgan Chase, who in their February 28 10-K [PDF] filing described the incidents “technically sophisticated." Both banks said none of the attacks resulted in a breach.

JPMorgan Chase referred to the attackers inflicting this harm as "well-resourced third parties" who "intended to disrupt consumer online banking services," but that these incidents did not result in any material harm to either the bank or its customers.

Like JPMorgan, US Bancorp, in their 10-K [PDF] filed on January 22nd, also experienced attack (but with no “material loss.”)

“The company and other large financial institutions were targets of various denial-of-service attacks on customer-facing websites and computer systems as part of what is believed to have been a coordinated effort to disrupt the operations of financial institutions. As a result of the Company’s controls, processes and systems to protect its networks, computers, software and data from attack, damage or unauthorized access, the Company has not experienced any material losses relating to these or other attempts to attack its systems,” they wrote.

Bank of America, in their February 28th 10-K [PDF] filing said their “website has been subject to a series of distributed denial of service cyber security incidents.”

Capital One Bank also acknowledged in their 10-K[PDF] filed on February 28 that despite “systems and technologies” employed to guard against attacks, they were the target of repeated “sophisticated” DDoS attacks.

“Capital One and other U.S. financial services providers were targeted recently on several occasions with distributed denial-of-service attacks from sophisticated third parties. On at least one occasion, these attacks successfully disrupted consumer online banking services for a period of time,” they wrote.

While both JP Morgan Chase, Bank of America and Capital One did not mention that these instances resulted in the loss of any sensitive data, that was not the case with Citigroup. The bank was the only one to report a breach due to attack, mentioning “limited losses,” without unveiling any additional specifics.

In their 10-K [PDF] filed on March 1st Citigroup wrote: “[I]n 2012 Citi and other U.S. financial institutions experienced distributed denial of service attacks which were intended to disrupt consumer online banking services. While Citi’s monitoring and protection services were able to detect and respond to these incidents before they became significant, they still resulted in certain limited losses in some instances as well as increases in expenditures to monitor against the threat of similar future cyber incidents.”

The headline-making DDoS attacks against the financial sector that began in mid-September of 2012 are being claimed by a group called the Izz ad-Din al-Qassam Cyber Fighters, and have resulted in intermittent downtime for a number of online banking sites.

While the group maintains that the attacks are being conducted in protest of a controversial YouTube video, others suspect that the operation may actually be a diversionary tactic to occupy the attention of security staff in order to facilitate fraudulent wire transfers by an unidentified criminal syndicate. The Office of the Comptroller of the Currency (OCC) issued an advisory in December to that effect, which reiterated earlier warnings from the Financial Services – Information Sharing and Analysis Center FS-ISAC, the FBI and IC3. Regardless of the alleged endgame, there are signs that the most recent attacks have grown even larger, culminating in a third phase which saw banks knocked offline for a record 249 hours during a six-week period earlier this year, according to reports.

Capital One’s filing sums up the challenge all of these banks — and millions of customers — are facing, in light of what appears to be an escalating cyber attack campaign.

“[The attacks could] adversely impact our ability to service customer accounts or loans, complete financial transactions for our customers or otherwise operate any of our businesses or services online,” they wrote.

You May Also Be Interested In: