Lloyds, Barclays Reveal Security Lapses, Disruptions in Payments

(Bloomberg) -- Lloyds Banking Group Plc, Barclays Plc and other U.K. lenders disclosed major security and operational incidents that cut off customers’ access to payment services, as regulators force lenders to publicize disruptions from cyber-attacks and other causes.

There were 19 such incidents at Lloyds, 18 at Barclays and 16 at Royal Bank of Scotland Group Plc that prevented customers from using telephone, mobile and Internet banking in the second quarter of 2018. Tesco Bank, which was targeted by cyber-criminals in 2016, reported six incidents in the period. The reports published on the banks’ websites don’t explain what caused the outages.

Most cases at Lloyds were “very small” and “resolved quickly without customers experiencing any detriment,” a spokesperson said by email. A Barclays spokesman had no immediate comment.

The public reports are part of efforts by the Financial Conduct Authority and Competition and Markets Authority to shine a light on banks’ ability to cope with a wave of hacks and technical problems and help consumers choose the best current account.

Lloyds, Barclays Reveal Security Lapses, Disruptions in Payments

For years, the Bank of England has directed financial institutions to strengthen the resilience of their computer systems. Under a central bank program, lenders have hired “white-hat” hackers to test their defenses even as criminals ramp up the potency and scope of cyber-heists.

Now regulators are signaling they may ask banks to standardize the way they disclose cyberattacks to consumers, said James Chappell, a co-founder and chief intelligence and innovation officer at Digital Shadows, a London-based cyber-defense firm. Reaching agreement on how to classify and report incidents that often vary widely in scale could be a painstaking and costly process.

“Very few people agree on a consistent definition of what an incident is,” said Chappell, whose firm took part in the Bank of England’s program. “Is it when an antivirus alarm goes off, which is all the time, or is it when when there’s an unauthorized access of data, or it is when there’s an outage of the system? I think what regulators want to do is agree on a standard of what that incident means so banks can report it.”

©2018 Bloomberg L.P.