More specifically, it announces, "In the past six months, several UK banks and financial market infrastructures have experienced cyber attacks, some of which have disrupted services." The surprise is that nobody outside of the banking system seems to be aware of these attacks, nor what services were disrupted. The recent attacks on Santander and Barclays do not seem to fit with the BoE description; and when contacted for more information, it replied that no further information would be made public.
There is a temptation to consider this statement to be a forewarning of the results of the recent Waking Shark 2 exercise coordinated by the BoE. This would fit with the description provided: "While losses have been small relative to UK banks’ operational risk capital requirements, they have revealed vulnerabilities." This was indeed the very purpose of Waking Shark 2 – to stress test the finance sector's ability to cope with future attacks, and reveal any vulnerabilities that need to be fixed.
Neira Jones, a partner at financial consultancy Accourt, suspects that the details have more to do with Waking Shark 2 than with actual criminal attacks. David Harley, ESET senior research fellow, is less certain even though he told Infosecurity, "I’m not aware of attacks on banking software and infrastructure in the UK (as opposed to bank losses due to phishing attacks). There have been attacks on client-bank systems and smartcard manipulation in Eastern Europe, especially the Ukraine, but I’ve no information relating to anything similar in the UK, let alone direct hacking, DoS/extortion, or whatever else the report is hinting at. Clearly the BoE isn’t discussing it, and I’ve not heard anything by other channels."
The description of the vulnerabilities is also slightly unexpected. Specific vulnerabilities are likely to affect specific institutions; but the BoE states, "If these vulnerabilities were exploited to disrupt services, then the cost to the financial system could be significant and borne by a large number of institutions." This sounds like a DoS attack that has knock-on effects across the whole industry – which, again, was the purpose of Waking Shark 2 – rather than specific security vulnerabilities.
"From the tone of the report," suggests Harley, "it seems to me that could just as easily be referring to internal organizational and operational weaknesses – maybe that’s more likely. But financial institutions are understandably secretive, so I’m just guessing." But he still doubts that the text refers to Waking Shark. "This doesn’t sound like Waking Shark or commissioned pen-testing: much more like bitter experience..." he told Infosecurity.
But while it would be useful for the security industry to know what, if any, attacks have succeeded against the finance sector, it is to a certain extent academic only. Chris McIntosh, CEO, ViaSat UK is of the school that believes companies, including the banks, should assume that they have already been hacked. "The UK’s banks need to realize that they have likely already been compromised and need to work back on this basis. Every organization’s network is at risk to the new species of threat and cyber security must reflect this."