Connect with us

Hi, what are you looking for?


Incident Response

More Banks Disclosing Cyber Attacks in SEC Filings

U.S. based banks recently affected by the wave of denial-of-service campaigns against financial institutions disclosed some attack details to the Securities and Exchange Commission.

U.S. based banks recently affected by the wave of denial-of-service campaigns against financial institutions disclosed some attack details to the Securities and Exchange Commission.

Several institutions, including Citigroup, JPMorgan Chase, Bank of America, Goldman Sachs Group, Capital One, U.S. Bancorp, and HSBC North America, referenced the DDoS attacks in their most recent annual 10-K earnings reports filed with the SEC. The attacks, intended to disrupt consumer online banking services, succeeded as customers were unable to access their accounts for a period of time, the banks wrote.

These institutions had come under DDoS-fire since last fall and winter, with the attacks allegedly launched by a group calling itself Izz ad-Din al-Qassam Cyber Fighters. The group started the latest series of attacks in late February and early March.

Bank Disclose Cyber Attacks

“The firm and several other U.S. financial institutions continue to experience significant distributed denial-of-service attacks from technically sophisticated and well-resourced third parties which are intended to disrupt consumer online banking services,” JPMorgan Chase wrote in its 10-K filing, submitted to the SEC on Feb. 28.

Both Chase and U.S. Bank referred to the attacks as “technically sophisticated and well-resourced.” U.S. Bank said the attacks required substantial resources to defend, and Citigroup said it has “increases in expenditures to monitor against the threat of similar future cyber-incidents.”

Security researchers have identified the “itsoknoproblembro” DDoS kit used to launch the attacks as well as the fact that attackers had compromised a series of Web servers to create the botnet which sent enough network traffic to overwhelm banking sites.

The banks worried the effects these attacks may be having on the organizations’ reputations. U.S. Bank said the attacks “may affect customer satisfaction and behavior.” They were also concerned about future attacks and how it would affect customer perception.

Advertisement. Scroll to continue reading.

“Should a cyber-attack against us succeed on any material scale, market perception of the effectiveness of our security measures could be harmed,” Capital One wrote in its filing Feb. 27.

Citigroup, U.S. Bank, and Chase reported other attempts to breach networks or steal data. While Chase did not offer any details, Citigroup described ongoing cyber-incidents, such as attempts to gain unauthorized access, access data, account takeovers, and malware attacks. U.S. Bank said attack attempts were increasing and the “company continues to develop and enhance its controls and processes to protect against these attempts.”

“Because the methods and techniques employed by perpetrators of fraud and others to attack, disable, degrade or sabotage platforms, systems and applications change frequently and often are not fully recognized or understood until after they have been launched, we and our third-party service providers and partners may be unable to anticipate certain attack methods in order to implement effective preventative measures,” Capital One wrote.

While the institutions—with the exception of Citigroup—said the attacks did not cause any loss of data or breach the networks and impact other servers. Even so, “there can be no assurance that we will not suffer such losses in the future,” Bank of America wrote Feb. 27

“If these attacks are successful, or if customers are unable to access their accounts online for other reasons, it could adversely impact our ability to service customer accounts or loans, complete financial transactions for our customers or otherwise operate any of our businesses or services online,” Capital One wrote.

Citigroup acknowledged the attacks led to some losses, but did not elaborate further.

“While Citi’s monitoring and protection services were able to detect and respond to these incidents before they became significant, they still resulted in certain limited losses in some instances,” Citigroup wrote in its 10-K report filed March 1.

In 2011, the SEC issued guidelines indicating that publicly traded companies have to disclose cyber-incidents that could lead to financial losses or pose a material risk to their organization in their regulatory filings. While these were guidelines and not mandatory requirements, many organizations over the past year have started disclosing various breaches and attacks in their SEC filings. These recent 10-K filings outlined the risks the financial institutions face in terms of disrupted services, reputation damage, and potential data loss.

“Additional challenges are posed by external extremist parties, including foreign state actors, in some circumstances as a means to promote political ends,” Citigroup wrote.

Related Reading: I’m a Fortune 500 Company and I’ve Been Hacked

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Data Breaches

LastPass DevOp engineer's home computer hacked and implanted with keylogging malware as part of a sustained cyberattack that exfiltrated corporate data from the cloud...

Application Security

GitHub this week announced the revocation of three certificates used for the GitHub Desktop and Atom applications.

Data Breaches

GoTo said an unidentified threat actor stole encrypted backups and an encryption key for a portion of that data during a 2022 breach.

CISO Strategy

Cybersecurity-related risk is a top concern, so boards need to know they have the proper oversight in place. Even as first-timers, successful CISOs make...

Incident Response

Microsoft has rolled out a preview version of Security Copilot, a ChatGPT-powered tool to help organizations automate cybersecurity tasks.