‘We’re being attacked all the time’: how UK banks stop hackers

It is every bank boss’s worst nightmare: a panicked phone call informs them a cyber-attack has crippled the IT system, rapidly unleashing chaos across the entire UK financial industry.

As household names in other industries, including Marks & Spencer, grapple with the fallout from such hacks, banking executives will be acutely aware that, for them, the stakes are even higher.

Within hours of a successful bank hack, millions of direct debits could fail, leaving rents, mortgages and wages unpaid. Online banking may be blocked, cash machine withdrawals denied, and commuters left in limbo as buses and petrol stations reject payments. News of the attack could spark panic, leading to a run on rival lenders, as customers pull money from their accounts amid fear the disruption could spread.

This situation may seem far-fetched but it is not a long way off from the government’s “reasonable worst-case scenario” if a sophisticated cyber-attack hit a big UK bank. With the financial industry among 14 sectors categorised as “critical national infrastructure”, it is no surprise that a hack is listed on the national risk register, which models some of the biggest threats facing the UK.

Billions of pounds are being spent preventing the kind of devastating attacks that shut down systems at three retailers, Harrods, the Co-op and M&S, this spring.

“The amount of money [that] banks, all of us, will be spending on our systems is enormous today. And it has to be,” the UK chief executive of HSBC, Ian Stuart, told MPs last month. “We are being attacked all the time.”

HSBC alone is having to invest hundreds of millions of pounds to protect itself, Stuart said. “This is our biggest expense.”

Globally, banks are expected to allocate 11% of their IT budgets to cybersecurity in 2025, according to an EY study. With those IT budgets forecast to hit $290bn (£214bn) this year, according to the research body Celent, banks could end up shelling out $32bn on cybersecurity by December.

It is a new era for high street banks, as attempted heists evolve from criminals in balaclavas hitting physical branches and vaults to state-sponsored hackers and independent cybergroups looking for ransom payments or merely to cause mass disruption.

“Banks have understood the risk far better than probably a lot of other industries. They’ve invested far more in security,” said Stuart McKenzie, a managing director for Mandiant Consulting, a Google-owned cybersecurity company that works closely with a number of lenders in the UK.

Last month the governor of the Bank of England told the BBC that cybersecurity was a risk that was never going away because it continually evolved. “We’re dealing with bad actors who will continually refine the lines of attack. And I always have to say to institutions: ‘You’ve got to continue to work at this,’” Andrew Bailey said.

However, protecting systems is a complex task. Most high street banks operate on an onion-like IT system, with layers upon layers of updates, patches and add-ons. Throw third-party software and cloud providers into the mix, and banks are left playing whack-a-mole.

“We call it the attack surface,” Alan Woodward, a professor and cybersecurity expert at the University of Surrey, said. “The attack surface has actually increased, so the opportunities for attackers to try to look for ways in have also increased.”

No bank hacks to date have been disruptive enough to bring a country to an economic standstill – although April’s power blackout across the Iberian peninsula exposed how reliant modern societies are on digital payments. Where hackers have been successful, they have more often than not targeted banks’ customer data and accounts.

In 2021, attackers on the US bank Morgan Stanley stole personal information belonging to its corporate clients by hacking into a server used by a third-party consulting company.

A year earlier, at the start of the Covid pandemic, attackers got hold of staff mailboxes at the Italian state-owned bank Monte dei Paschi, and sent emails to clients with voicemail attachments.

Meanwhile, one of the most devastating hacks on a UK bank came in 2016, when criminals found a way to guess bank card details and steal almost £2.5m from 9,000 accounts at Tesco Bank. Tesco was forced to halt all online and contactless card transactions after struggling to block fake purchases taking place around the world, including Spain and Brazil.

Tesco Bank eventually reimbursed customers in full.

The National Cyber Security Centre says customers who suspect a hack should contact their bank using their official website or social media channels, and avoid using any links or contact details they have been sent. The organisation should be able to confirm if a hack has actually taken place, how they have been affected and what they need to do next.

The Bank of England has tried to stay a step ahead. Policymakers officially recognised cybersecurity as a risk to financial stability in 2013 and started to implement cyber resilience standards for all regulated banks and insurers under its supervision.