HSBC internet sites hacked


The bank said no customer data was accessed during the attack because it is stored on different servers. However, experts said the incident casts doubts over the company’s security policy.

Herbless, the hacker who carried out the attack, told sister site that he had not accessed or tried to access any customer data.

‘I didn’t access customer data. I didn’t undertake any research into whether or not I could have access[ed] said data,’ Herbless said in an email.

HSBC’s Greek and Spanish sites and one other, British Arab Commercial Bank, were also hit during the attack last night.

The hack included a statement in support of the fuel protestors and a photograph of UK Prime Minister Tony Blair with a speech bubble saying: ‘Listen to Herbless. He talks sense.’

While previous hacks have been easy to fix, HSBC has taken time to recover from the attack. At 10am BST Wednesday, none of the hacked sites could be viewed normally, with each showing a DNS error message when the URL was typed into a web browser.

Herbless hacked hundreds of websites late last week by exploiting administrators failure to properly configure their SQL server, and he appears to have used the same method again.

Paul Rogers, network security analyst at security consultancy MIS, said: ‘Again Herbless has used the Microsoft SQL server issue to gain access to HSBC’s web server. Because all the affected domains were based on the same box, he was able to modify all their front pages.’

Rogers said that there is a ‘definite risk’ that other data could have been compromised in the attack. ‘It depends on how the network is designed and what security policies are implemented within the HSBC website network.’

He said the attack is very embarrassing for HSBC. ‘Internet banking has had bad press recently. It’s not good for customer confidence. From a common sense point of view, if it’s what we think then I’m very surprised that due to the publicity surrounding this issue that this hole wasn’t closed earlier.’

‘Security can never be 100 per cent, but you try for 95 per cent. It seems certain procedures at HSBC are a bit lax,’ he added.

This fresh attack marks a step up in the complexity of Herbless’ ‘hacktivism’. During the past month, Herbless has taken advantage of an administrator error in the initial configuration of SQL server to deface more than 450 UK corporate, local government and government agency websites.

Additional reporting by Ian Lynch and Andrew Craig.

This article first appeared on


Hacker attacks UK government websites

Net movies open back door for hackers

Related reading