For bank leaders, it’s their worst nightmare. Urgent communications have rapidly unleashed turmoil across the UK’s financial sector, as cyberattacks incapacitate IT infrastructures.
Bank executives recognize that their stakes are particularly high, especially as family names in other sectors, like Marks & Spencer, grapple with the repercussions of such breaches.
Within hours of a bank breach, millions of direct debits might fail, jeopardizing rent, mortgages, and salaries. Online banking access may be blocked, cash withdrawals denied, and commuters stranded as buses and gas stations refuse payments. News of such an attack often incites panic, prompting rival banks to react and customers to withdraw their funds in anticipation of disruptions.
While this may seem extreme, a well-executed cyberattack on a major UK bank is not far removed from the government’s “rational worst-case scenario.” The financial sector, categorized as one of the 14 “critical national infrastructure” sectors, is particularly vulnerable. Highlighted in the National Risk Register, it models the most significant threats confronting the UK.
This spring, billions of pounds were invested to prevent catastrophic incidents involving major retailers like Harrods, The Co-op, and M&S.
“The financial commitment will be substantial,” Ian Stuart, CEO of UK HSBC, mentioned to MPs last month. “We are under constant attack,” he added.
Following the cyberattack, M&S was compelled to halt online orders for six weeks. Photo: Yui Mok/Pa
According to Stuart, HSBC alone needs to invest hundreds of millions to bolster their security. “This represents our largest expenditure.”
Globally, banks are projected to dedicate 11% of their IT budgets to cybersecurity by 2025, as indicated by an EY survey. This budget is expected to reach $290 billion (about £21.4 billion). By December, banks may invest $32 billion in cybersecurity, according to Celent’s research.
Cybercriminals represent a new kind of threat in the banking sector, evolving from masked robbers targeting physical branches to state-sponsored hackers and independent cybercriminals aiming for ransom or widespread chaos.
“Banks likely comprehend risk more profoundly than many other industries, investing significantly more in security,” states Stuart McKenzie, managing director at Mandiant Consulting, a Google-owned cybersecurity firm that collaborates closely with various UK lenders.
Last month, the Governor of the Bank of England shared with the BBC that cybersecurity risks remain ever-evolving. “We are contending with adversaries who continually enhance their methods of attack, which I must remind the agency to prioritize,” said Andrew Bailey.
However, safeguarding systems is complex. Many high street banks operate on multi-layered IT architectures with numerous updates and add-ons. Incorporating third-party software and cloud services complicates matters further, leading to a convoluted system.
“We refer to it as the offensive side,” remarked Alan Woodward, a cybersecurity expert and professor at the University of Surrey. “The attack surface is expanding, resulting in more chances for attackers to exploit vulnerabilities.”
Historically, successful bank hacks have not been destructive enough to halt the economy completely. Instead, hackers typically target customer data and account information.
In 2021, a hacker from Morgan Stanley accessed personal information belonging to a corporate client by breaching a server operated by third-party consultancy firms.
Earlier, at the onset of the COVID-19 pandemic, an attacker compromised a staff email for the Italian bank Monte Dei Paschi, sending a client a voicemail with malicious attachments.
In 2016, hackers guessed bank card details from over 9,000 Tesco Bank accounts, managing to steal nearly £2.5 million. Photo: Murdo Macleod/The Guardian
Notably, one of the worst hacking incidents in UK banking occurred in 2016, where criminals speculated on card details, leading to the theft of approximately £2.5 million from Tesco Bank accounts. In the aftermath, Tesco had to stop all online and contactless transactions to mitigate fraudulent activity occurring globally, including in Spain and Brazil.
In the end, Tesco Bank fully refunded its customers.
The National Cyber Security Center advises customers who suspect a breach to reach out to their banks through official websites or social media channels, avoiding any links or contact details shared in suspicious communications. Organizations should be able to confirm the status of the breach and provide guidance on next steps.
Since 2013, the Bank of England has actively recognized cybersecurity as a financial stability risk and initiated supervision of cyber resilience standards for all regulated banks and insurance firms.
After the newsletter promotion
The initiative includes the launch of CBEST, the first global program where ethical hackers evaluate the potential vulnerabilities of banks using advanced attack techniques.
“Nothing is absolutely secure,” emphasized Woodward, but he noted that the UK banking system is nearing that goal. “Much of this stems from oversight,” particularly by the central bank, which gathers intelligence from MI5, GCHQ, and NCSC, and conducts real-world scenarios to assess bank resilience.
Every two years, the central bank orchestrates the Multiday Cyberwar game as part of the Simex-Simulation Exercise program, assessing the security of businesses in London.
Additionally, authorities have been scrutinized, with banks, financial regulatory bodies, the Treasury, and the National Cybersecurity Centre evaluating their preparedness for various catastrophic incidents.
Regulators don’t just review bank defenses; they also encourage banks to develop response and recovery plans to mitigate long-lasting disruptions caused by potential cyberattacks, as it’s crucial for their success.
The Cross Market Business Continuity Group, connecting regulators with representatives from UK Finance in the banking sector, boasts the capability to convene approximately 100 firms for emergency discussions within an hour during potential threats.
Avoiding breaches is deemed essential for safeguarding industries that ultimately rely on trust. Customers expect banks to protect their data, incomes, and life savings from outside threats.
“If anyone can breach that security and execute a fraudulent transaction… you will lose trust in that bank, right?” remarked Woodward.
Banks have already faced backlash from mere IT disruptions, even without malicious intent aiming to undermine the banking system or steal sensitive information.
TSB has spent years rehabilitating its image after the IT collapse in 2018, caused by a failed separation from Lloyds’ internal systems, which led to millions of customers being locked out of their accounts for weeks. The bank was subsequently fined £48 million for “serious and widespread” failures.
TSB has been diligently working for several years to restore its standing following the 2018 IT crisis. Photo: Andrew Matthews/PA
Data gathered by the Parliamentary Treasury Committee indicates that the repercussions continue to affect some of the UK’s largest banks and their client bases, with significant IT failures over an extended period between January 2023 and February 2025.
“Customer money and data security are paramount for banks, not only due to regulatory demands but also as a cornerstone of their business model.”
“While I don’t dismiss the potential for cyber incidents, I remain confident in the level of cyber defense we maintain.”
Source: www.theguardian.com