My various inboxes have received a number of odd conspiracy theories that RBS/NatWest’s crash is actually due to hackers trying to attack its computer systems. I’ve no knowledge one way or the other, and seriously doubt there’s even an iota of truth in it. Yet it does raise an interesting hypothetical question – should a bank admit to the public if hackers are causing it problems?
Of course the easy, knee-jerk instinct is to say that customers ALWAYS have a right to know. Well, I certainly err on this side in principle, however I suspect these issues would be more complex. It must, of course, inform the regulator and the police first, and any decisions should be in conjunction with them – and done in the public, rather than purely commercial, interest.
If there is a risk an individual’s personal data has been compromised and they are at risk of fraud and loss elsewhere – then that comes first and they should be told immediately.
Yet an attack and a data breach are not necessarily the same thing. In 2007 MSE suffered a DDOS (distributed denial of service attack) – effectively a deliberate simulation of billions of users to crash the servers.
It lasted days and we were down during that time. No ransom note came, though they are common.
It could’ve been a hacker doing it just for fun, or even a deliberate attack, as it started when we launched the PPI reclaiming campaign.
So imagine a bank is under attack and has had a ransom demand – does it aid the public by knowing what happened? Or does it put the bank and the system more at risk, increase the criminal’s ransom, and act as an open invitation for others to do the same?
Equally, if a bank had an unsuccessful hacking attempt to crack into its data vaults – and needed to make emergency changes to prevent it, does going public risk aiding the cybercriminals, revealing too much about internal security procedure, and making other attacks more likely?
Plus the panic caused from people knowing it was being attacked, and thinking their money was at risk, could cause a run on it. (Even though it’s likely the reason things weren’t working is because they had been shut down to stop this happening.)
So, imagine a bank were under a criminal, or even state-sponsored, terrorism attack and it caused a massive customer failure, but not a direct risk of fraud. Should the regulator prioritise ensuring the issue is transparent, or should it protect customers and the system’s financial stability?
Answers on a postcard please… (via the comments below).
PS. This isn’t a coded message that I think NatWest has been subjected to an attempted hack. I genuinely believe it has just screwed up (which is worse?). Yet the conspiracy theories do present an interesting hypothetical.