Government cyber security response teams have jumped to action as outages of Westpac mobile and online banking services extends into their fourth day, despite the bank’s repeated claims to have fixed the problem that left millions without access to their money.
The service outage – which affected both Westpac and its subsidiaries St George Bank and BankSA – took down banking services on Monday and Tuesday, with Westpac first confirming the outage on Monday afternoon and claiming it was resolved hours later.
Westpac confirmed new outages at 2:15pm Tuesday afternoon; claimed they had been restored by 4:00pm; confirmed more outages at 8:30am Wednesday before declaring the problem solved at 2:03pm after staff worked “around the clock” to restore services.
Yet after days of apologies from flat-out Westpac support staff, the number of outages reported to DownDetector surged again on Thursday morning, with the number of reports at 10.21am higher than at any point on Wednesday.
Customers were livid, calling the outage “crazy” and “absolutely shocking” as they recounted concerns that they would be charged overdraw fees, penalised for being unable to pay bills, and locked out of their accounts for repeated failed attempts to access the services.
Users reported the app saying that it had no Internet connection, while one user reported “multiple incorrect debits from my Mastercard account…. Messages from Westpac saying my cards are blocked…. would be totally lost if did not have other accounts.”
“Can’t move money from my savings so I guess I’m not eating today,” wrote one X user who said their service had “not been working for me since Monday”.
Others reported problems accessing funds while overseas, while one user opined that “this should be illegal for you guys to take our accounts hostage for multiple hours a day [and] not once have we ever got an explanation for these ‘service disruptions’.”
“Sorry for the inconvenience’ doesn’t do it anymore,” wrote another user who complained that Westpac “close our bank branches, leaving us NO option [then] shut us down online, denying us access to OUR money!!”
Customers around Australia and overseas have been affected by an unexplained and ongoing Westpac outage. Image: DownDetector
Like other banks, Westpac has been steadily closing branches across the country as customers shift towards online banking – with new figures from Canstar confirming that banks closed 230 branches last year and removed 6,000 ATMs over the past five years.
Earlier this year, the bank confirmed that it has 5.92 million customers using its apps and online platforms.
Cyber response mounted as cause of outages remains unclear
As Westpac continued to work towards a permanent fix for the problems, government cyber security specialists were taking action – with Treasurer Jim Chalmers calling the outages “really concerning developments” during a Bendigo press conference.
“When something like that happens it enlivens the cyber security part of our government,” Chalmers said, adding that government experts “have been speaking with Westpac” about the outages – whose intermittence suggests distributed denial of service (DDoS) attacks.
“Unfortunately, this is a sign of the times,” Chalmers added.
“We are seeing more of these sorts of interruptions in an economy which is becoming increasingly digital and where the technological changes [are] so fast, we are at risk of some of these sorts of interruptions.”
While industry cyber security body FS-ISAC recently reported a “lower and more stable level of risk in 2023 than in recent years,” NAB cyber investigations head Chris Sheehan recently confirmed that Australian banks are attacked by cybercriminals “all the time”.
The Asia Pacific region has the highest median threat score for phishing attacks against financial institutions, according to a recent Akamai Technologies report that found the financial services industry has “a towering lead” over others when it comes to DDoS attacks.
“Financial institutions are especially attractive targets for DDoS attackers because of the high stakes involved,” it explains.
“Successful disruption of operations can lead to severe financial impact, significant reputation damage, and a loss of trust in the global financial system.”
Financial services organisations reported 58 notifiable data breaches – including 37 malicious or criminal attacks and 17 involving cyber incidents – to the Office of the Australian Information Commissioner (OAIC) during the first half of this year.
And while the cause of Westpac’s latest outage has yet to be confirmed, the bank did warn customers to be aware of the inevitable surge in scams as cyber criminals moved to take advantage of the disruption and discontent caused by the outages.
“Customers are encouraged to be vigilant of potential scams at this time as some scammers may use a service disruption as an opportunity to impersonate the bank, offering help,” bank staff wrote.
“We urge customers to be extra alert and call us if they are concerned.”
Scamwatch has received 4,814 reports of ‘IT support’ or ‘remote access’ scams that have taken $5.3 million from Australians so far this year alone.