It was the most high profile cyber attack in some time, and one of the largest ever carried out. Governments, hospitals, companies and universities in over 150 countries were affected by the recent ‘WannaCry’ cyber attack, which affected more than 230,000 computers with ransomware and demanded bitcoin payments.
Media coverage in the UK focused on the implications for our National Health Service, but among others affected was the Russian Central Bank. Fortunately, Russian media reported that there had been "no incidents compromising data resources of banking institutions” - a let-off this time round.
The WannaCry ransomware was a backdoor attack on Microsoft Office, through a vulnerability that was fixed with a patch back in March - but many hadn’t yet installed the update. That will continue to be a communication challenge for businesses, but an even greater risk lies in ‘zero-day’ vulnerabilities which are previously unknown - meaning they are, in a way, unpreventable. That’s a huge risk to banks and fintech entrants, and importantly the global financial system itself.
This is an ongoing threat for major banks. And yet, they have been warned. Last year, the US Federal Financial Institutions Examination Council pointed out a sharp rise in ransomware attacks, and the implications for financial services - ransomware attacks on businesses increased three-fold last year, from an attack every two minutes to one every 40 seconds.
These type of attacks have seen hackers convince those affected that the attack is because of an official government sanction, using official government logos and demanding fines for ‘noncompliance’. It’s one of a range of techniques that cybercriminals are now using to extort financial institutions. And of course, a tough end to last week for Barclays' Jes Staley showed that even the most senior bankers are not immune to cyber threats and hoaxes.
London has led the way recently, with new fintech startups and challenger banks offering consumers more choice than ever when it comes to managing their money. But these companies aren’t immune either. Just as the fintech sector has begun to build trust among consumers as a viable banking alternative, one large-scale cyber attack could undo a lot of that good work.
We saw the damage done to Tesco Bank's brand, for example, after a large-scale cyber attack last year that saw 9,000 customers affected. And with less technical resources, the challenge is particularly great for these new entrants - banks meanwhile have invested huge amounts in cyber security in recent years.
For consumers, the impact of WannaCry could be significant. Security was already high on the agenda - surely now it will be top of mind for anyone choosing a new bank or financial provider. In that process, we could increasingly see security move from a secondary factor to a decisive one.
As we move out of beta mode here at Curve and launch to the mass market, it’s certainly something we’re conscious of. People must have confidence in the way they pay and manage their money - and after this latest attack, it is more apparent than ever that the importance of cybersecurity goes well beyond compliance.
In time, banks and fintechs must integrate - or build their own - security engines that use machine learning to identify and pre-emptively protect themselves, and customers, from software vulnerabilities, before they’re even aware of them existing. But for now, constant vigilance is the bare minimum.