More than half of the world’s 50 biggest bank websites have been hit by security incidents in the past eight years, a study has revealed.

High or critical risks made up 15% of the total incidents discovered, affecting 11 banks, according to research by Swiss IT security services firm High-Tech Bridge.

Low or medium risks made up 46% of the 102 incidents that affected 23 of the banks, said the research, published to coincide with the UK financial sector cyber resilience exercise.

Operation Waking Shark 2 is the most extensive cyber threat exercise in two years to test the preparedness of the UK financial infrastructure to withstand a sustained cyber attack.

Topping the security incident table in the High-Tech Bridge study is the Bank of America with 12 incidents, followed by HSBC and Bank of Montreal with 10 each, and Barclays with 9.

But most of the incidents (19.6%) were in the UK, followed by the US, Canada and France. No incidents were reported in Denmark, Italy and Japan.

The best performers – with no website security incidents – were 24 of the 50 banks, including Lloyds Banking Group, Mizuho Financial Group, Bank of China, Sumitomo Mitsui Financial Group, Rabobank, Goldman Sachs, National Australia Bank and Scotiabank.

High-Tech Bridge used public and open sources of information to collect statistics on security incidents involving banking websites.

The research team noted the number of actual incidents is probably higher, as many security incidents pass unnoticed or are covered up to protect the reputation of the banks involved.

The study was aimed at assessing the scale of insecure web applications on banking websites, and to find out how many financial institution websites had been compromised.

To simplify the research, High-Tech Bridge looked only at the main websites and subdomains of each bank, without taking into consideration regional websites.

Cross-site scripting (XSS) attacks accounted for 79% of the incidents, followed by SQL injection (SQLi) at 4%.



Ilia Kolochenko chief executive of High-Tech Bridge, said the numbers were high even though the research covered only publicly known security incidents and did not include common DDoS (distributed denial of service) attacks or phishing campaigns.

“The statistics confirm that even financial institutions should pay more attention to their web application security, not only to protect their customers but to maintain their digital reputation,” he said.

Kolochenko said the fact that there were few security incidents publicly exposed in 2013 does not necessarily confirm that web applications are becoming more secure.

“It is more about new objectives of hackers - today they are not looking for glory but for profit, therefore do not make any noise and compromise web systems without being noticed," he said.