• Great articles on other sites
  • RSS Great articles on other sites

  • Enterprise IT, News, Security - Written by on Tuesday, April 15, 2014 14:34 - 6 Comments

    Heartbleed, internal outages: CBA’s horror 24 hours


    news The Commonwealth Bank’s IT division has suffered something of a nightmare 24 hours, with a catastrophic internal IT outage taking down multiple systems and resulting in physical branches being offline, and the bank separately suffering public opprobrium stemming from contradictory statements it made with respect to potential vulnerabilities stemming from the Heartbleed OpenSSL bug.

    This morning Delimiter received an anonymous tip stating that the bank was suffering a major outage affecting its Internet banking, EFTPOS, telephone and branch banking and even its CommSec trading platform. The problem is is rapidly becoming visible externally due especially to the fact that some of CommBank’s branches have been unable to open.

    The source of the outage, according to unverified internal information, is that the bank is suffering problems with a number of groupwide systems, including its CommSee customer platform and even systems used by its Colonial First State brand. The issue is described as a “massive system outage affecting all CommSee users”, and has been listed internally as a priority 1 outage.

    Asked about the issue, the bank firstly issued a statement apologising to customers and noting that it was working to restore services as a priority. Shortly after, it issued an updated statement noting that its technical issue “has been resolved”, with full services progressively being restored.

    The outage is not the first time in recent memory that CommBank has suffered an extensive internal outage with its IT systems which has resulted in significant chaos for staff and customers. In late July 2012, for instance, the bank was plunged into chaos following what appeared to be a disastrous misapplication of an operating system patch to thousands of desktop PCs and hundreds of servers at the time.

    That outage similarly took down CommSee, effectively making it impossible for staff to complete much of their work. At the time, blame for the outage was pinned on outsourced supplier HP, leading to a direct visit by the vendor’s global chief executive Meg Whitman to Australia to hold talks directly with CommBank on the issue.

    Separately, CommBank has also been suffering a high degree of criticism over the past 24 hours especially about its handling of the Heartbleed bug.

    Heartbleed is a security bug in the open source OpenSSL cryptography library, which is widely used to secure Internet communications. It was recently discovered but has been in existence for several years, and has reportedly been used by government agencies such as the US National Security Agency to penetrate supposedly secure systems. The bug affects a huge percentage of Internet services.

    In a post on the bank’s blog last week, CommBank general manager of digital channels and online banking, Drew Unsworth, had initially stated that the bank was “patched” against the bug and that customers did not need to update their Internet banking passwords.

    However, customers quickly pointed out that the bug had been active for several years, making Unsworth’s statement likely to be factually incorrect. If the bug had affected CommBank, customer details could theoretically have been stolen during that time before any patches were applied.

    Unsworth successively updated his post stating that the bank’s NetBank platform “does not (and did not) use OpenSSL. “All customer data is safe, so customers do not need to change their NetBank passwords or take any action,” he wrote. “We have multiple layers of security in place to protect our customer sites and services. Our security teams constantly monitor and stay abreast of the latest security vulnerabilities and are quick to take any action required to protect our customers.”

    Unsworth also reminded customers that the bank offered a 100 percent guarantee, provided they kept their NetBank client number and password secure and notified the bank immediately of any suspicious activity on their account.

    Despite the post, however, many customers have posted comments on the blog pointing out the inherent contradictions in Unsworth’s comments, in that he first stated that the bank had patched its systems, but secondly that it never used OpenSSL.

    “This does not compute. Which is it?” asked one commenter. “This is really concerning, you need to get a security expert to actually rewrite this post,” another added. “1. You used OpenSSL in the last 2 years, therefore everyone MUST change their password. No ifs, or buts. 2. You didn’t use OpenSSL and this entire thing was just a media stunt. Either way, you need to address people’s concerns quickly. Copying generic responses will not answer the question.”

    A third wrote: “Wow. I’m a CBA customer and a software developer. I’m amazed by the poor level of support by the CommBank moderator on this thread. ither you don’t understand the issue, or you’re trying to obfuscate. Could you *please* escalate this to someone who is qualified to comment?”

    Pretty terrible 24 hours for CommBank, but I think the bank is gradually getting things under control :) Priority One outages (affecting fundamental service availability) are pretty nasty, but at least most things are back online now, and the Heartbleed issue looks mostly like a bit of a public relations gaffe rather than any kind of actual IT security issue.

    I don’t personally really believe the statement that CommBank doesn’t use OpenSSL at all; I’m sure OpenSSL is indeed used somewhere in the bank’s vast operations. CBA uses virtually every technology known to man in some capacity; it’s that big. But I’m also pretty sure that the bank wouldn’t have been vulnerable in the normal way that smaller companies or platforms have been to the Heartbleed issue. I would say CommBank’s systems are too complex and its security too tight for that. I think this one was just communicated poorly. Happy to hear divergent views, however.

    Image credit: megawatts86, Creative Commons

    submit to reddit


    You can follow any responses to this entry through the RSS 2.0 feed. You can skip to the end and leave a response. Pinging is currently not allowed.

    1. Antic Ped
      Posted 15/04/2014 at 3:41 pm | Permalink | Reply

      There is another bitey in this saga.

      Affected systems need not only an updated OpenSSL but they also need new certificates which should be generated on a computer which is NOT connected to the ‘net.

      Deutsche Bank’s main consumer portal checked out OK on the HeartBleat test app but was still vulnerable because no new cert had been applied.


    2. Daniel
      Posted 15/04/2014 at 3:57 pm | Permalink | Reply

      How can a physical branch be “offline”?

      Maybe you mean closed, but how can that be? Surely humans can still unlock doors and interact with people without a computer?

      • PeterA
        Posted 15/04/2014 at 4:49 pm | Permalink | Reply

        But what can they say to those customers?
        They can’t withdraw, they can’t deposit, they can’t verify balances.

    3. Luigi
      Posted 17/04/2014 at 2:18 pm | Permalink | Reply

      So, was the massive outage caused by an authentication error when they attempted to update their key certificates following HeartBlead? That’s happened to a few companies: I was getting certificate errors for a few days as companies cycled through short-term certificates in their efforts to make quick fixes

    4. Zak
      Posted 17/04/2014 at 4:17 pm | Permalink | Reply

      How many other holes or hidden passages exist in open-sourced code?
      Seems like the free ride is over for OSS freeloaders.

      • gordon451
        Posted 18/04/2014 at 12:16 am | Permalink | Reply

        Actually, the free ride is still on. Heartbleed was/is not a bug in OpenSSL code, it is a bug in the TLS Heartbeat extension, nothing at all to do with OpenSSL.

        Other holes or hidden passages? Probably a lot fewer than those in closed source OSes.


    Leave a Comment


  • Get our 'Best of the Week' newsletter on Fridays

    Just the most important stories, one email a week.

    Email address:

    Follow us on social media

    Use your RSS reader to subscribe to our articles feed or to our comments feed.

  • Most Popular Content

  • Enterprise IT stories

    • Super funds close to dumping $250m IT revamp facepalm2

      If you have even a skin deep awareness of the structure of Australia’s superannuation industry, you’ll be aware that much of the underlying infrastructure used by many of the nation’s major funds is provided by a centralised group, Superpartners. One of the group’s main projects in recent years has been to dramatically update and modernise its IT platform — its version of a core banking platform overhaul. Unfortunately, the $250 million project has not precisely been going well.

    • Qld’s Grant joins analyst firm IBRS peter-grant

      This week it emerged that Peter Grant, the two-time former Queensland Whole of Government CIO (pictured), has joined well-regarded analyst firm Intelligent Business Research Services (IBRS). We’ve long had a high regard for IBRS, and so it’s fantastic to see such an experienced executive join its ranks.

    • Westpac dumps desk phones for Samsung Android mobiles samsung-galaxy-ace-3

      The era of troublesome desk phones tied to physical locations is gradually coming to an end in many workplaces, with mobile phones becoming increasingly popular as organisations’ main method of voice telecommunications. But some groups are more advanced than others when it comes to adoption of the trend. One of those is Westpac.

    • Ministers’ cloud approval lasted just a year reverse

      Remember how twelve months ago, the Federal Government released a new cloud computing security and privacy directive which required departments and agencies to explicitly acquire the approval of the Attorney-General and the relevant portfolio minister before government data containing private information could be stored in offshore facilities? Remember how the policy was strongly criticised by Microsoft, Government CIOs and Delimiter? Well, it looks like the policy is about to be reversed.

    • WA Govt can’t fund school IT upgrades oops key

      In news from The Department of Disturbing Facts, iTNews revealed late last week that Western Australia’s Department of Education has run out of money halfway through the deployment of new fundamental IT infrastructure to the state’s schools.

    • Turnbull outlines Govt ICT vision turnbull-5

      Communications Minister Malcolm Turnbull has published an extensive article arguing that the Federal Government needed to do a better job of connecting with Australians via digital channels and that public sector IT projects needn’t cost the huge amounts that some have in the past.

    • NZ Govt pushes hard into cloud zealand

      New Zealand’s national Government announced a whole of government contract this morning for what it terms ‘Office Productivity as a Service’ services. This includes email and calendaring services, as well as file-sharing, mobility, instant messaging and collaboration services. The contract complements two existing contracts — Desktop as a Service and Enterprise Content Management as a Service.

    • CommBank reveals Harte’s replacement whiteing

      The Commonwealth Bank of Australia has promoted an internal executive who joined the bank in September after a lengthy career at petroleum giant VP and IT services group Accenture to replace its outgoing chief information officer Michael Harte, who announced in early May that he would leave the bank.

    • Jeff Smith quits Suncorp for IBM jeffsmith4

      Second-tier Australian bank and financial services group Suncorp today announced that its long-serving top technology executive Jeff Smith would leave to take up a senior role with IBM in the United States, in an announcement which marks the end of an era for the nation’s banking IT sector.

    • Small business missing the mobile, social, cloud revolution iphone-stock

      Most companies that live and breathe the online revolution are not tech startups, but smart smaller firms that use online tools to run their core business better: to cut costs, reach customers and suppliers, innovate and get more control. Many others, however, are falling behind, according to a new Grattan Institute discussion paper.

  • Blog, Enterprise IT - Jul 5, 2014 13:53 - 0 Comments

    Super funds close to dumping $250m IT revamp

    More In Enterprise IT

    Blog, Telecommunications - Jul 5, 2014 12:12 - 0 Comments

    What should the ACCC’s role be in guiding infrastructure spending?

    More In Telecommunications

    Analysis, Industry, Internet - Jun 23, 2014 10:33 - 0 Comments

    ‘Google Schmoogle’ – how Yellow Pages got it so wrong

    More In Industry

    Blog, Digital Rights - Jun 30, 2014 22:24 - 0 Comments

    Will Netflix launch in Australia, or not?

    More In Digital Rights