Looking for His glorious appearing! Titus 2:13

Twenty-year veteran of GCHQ fears global information-sharing is vulnerable to attack

Brian Lord was the former deputy director for intelligence and cyber operations at GCHQ Photo: PA

A global database of bank customer information presents the biggest cybersecurity risk to the financial sector’s safety and could be open to attacks from rogue states and criminals, according to a former GCHQ insider.

The world’s biggest banks are collaborating on a massive repository of customer information put together to share data, in an attempt to prevent themselves from doing business with sanctioned companies and organisations.

The database, known as Clarient Global and majority-owned by the New York-based Depository and Clearing Trust Corporation, is being created partly in response to a series of fines levied on big banks for failing to spot transactions with suspicious entities. It will act as a turbocharged dossier of institutional clients, intended to ensure banks know who they are dealing with, and shareholders in the project include Barclays, JP Morgan and Goldman Sachs.

However, storing this information under one roof, as well as the number of banks involved, presents a huge security risk, warned Brian Lord, GCHQ's former deputy director for intelligence and cyber operations.

Mr Lord, now a managing director at cyber-warfare experts PGI, said the sheer volume of sensitive information present in one place would make it the most attractive target for nation states and hackers seeking to disrupt the financial system. 

“What this proposal appears to be is putting all that data in one repository, and this makes the value to a hostile actor significantly more than the sum of its parts,” he said.

“Because the accumulative value of this data is so large it would attack state interest, it is going to be valuable to the highest possible level of sophisticated actor.”

Banks are becoming increasingly wary about the threat of cyber-attacks, and beefing up security systems in response to increasingly complex attacks from both nation states and criminals. Just last month, hackers reportedly based in Russia reportedly stole gigabytes of data from JP Morgan in an attack that was investigated by the FBI.

At the same time, the lenders are working together to better share information to avoid the mistakes that can lead to substantial fines. Earlier this year, BNP Paribas agreed to pay $8.9bn (£5.4bn) after pleading guilty to money laundering. HSBC and Standard Chartered have also been hit with substantial fines for breaching sanctions.

Although banks spend millions developing the highest­ level security systems, the number of banks involved in Clarient Global would make it vulnerable, said Mr Lord, a two­-decade veteran of GCHQ.

“Regardless of how good your technology, is one of the greatest vulnerabilities is the human being and the user, and what you’re doing here is creating a number of users, each of which has their own culture and modus operandi,” he said. “You’re putting them on to the same system and expecting them to use it the same way.”

Additionally, the number of bank systems in place will make security upgrades complex and slow, meaning they are vulnerable to new forms of attack. “The number of times you can do security upgrades is limited because there’s such a level of complexity,” Mr Lord said. “[The speed at which hackers find new ways to attack] will invariably exceed the ability to upgrade the security and the abilities of humans.”

Three years ago, the Bank of England undertook Operation Waking Shark, an industry-wide exercise to mimic a large-scale cyber attack on the British financial system. The 24-hour simulation covered everything from the complete failure of payments systems to the failure of major industry IT platforms as a result of a sustained cyber-attack.

The test was repeated last year to demonstrate how systems within banks had improved to keep information secure.