Hong Kong Stock Exchange says its website was hacked while it halted derivatives trading to fix unrelated software bug

-A +A

(Sept 6): The open-access website of the HKEX was hacked yesterday, the second such cyberattack since August 2011.

An unrelated software bug in the vendor-supplied trading platform, which forced the exchange to suspend derivatives trading yesterday, has been isolated and fixed.

Hong Kong’s stock exchange website was hacked yesterday, while the bourse had halted derivatives transactions to fix an unrelated software bug, as the operator faced a combination of technical outages at a time of heightened sensitivity about the city’s role as Asia’s third-largest financial marketplace.

The open-access website of the Hong Kong Exchanges and Clearing Limited (HKEX) was subject to a distributed denial-of service attack (DDoS), where hackers overwhelmed the network with massive incoming traffic, which slowed down and disrupted its ability to display exchange prices and financial data, said the bourse’s chief executive officer Charles Li Xiaojia.

On the same day, a technical bug was found in a vendor’s trading software for derivative financial products, which forced the exchange to suspend the trading of futures and options yesterday afternoon, Li said. Trading resumed today after the exchange returned to using an older version of the software without the bug, he said.

“We will continue to invest more to safeguard and improve” the information and technical infrastructure at the exchange, Li said at a press conference. “We hope the public has the confidence in the robustness of our system.”

Traders rushed back to the derivatives market today when transactions resumed, with 230,000 contracts, including 59,763 Hang Seng Index futures contracts, changing hands as of 10.30am, six times the daily average volume this year.

Brokers had complained yesterday that they could not enter their orders into the exchange’s derivatives trading platform, where financial products such as futures and options derived from underlying indexes and assets can be bought or sold. A total of 60,070 contracts were traded yesterday, before trading was suspended.

HKEX shares, which are themselves traded on the exchange, rose by as much as 3.1% to an intraday high of HK$254.80, recovering from yesterday’s 1.9 per cent loss after derivatives trading was stopped.

This wasn’t the first time that hackers had taken aim at the HKEX’s website. In August 2011, the HKEX website was subject to a similar DDoS attack, forcing the exchange to suspend trading seven stocks with HK$1.5 trillion in combined market value, including HSBC Holdings, the largest of the city’s three currency note issuing banks. Shares of Hong Kong’s hometown carrier Cathay Pacific Airways and the exchange itself were also halted then.

Businessman Tse Man-lai, who was behind the 2011 cyberattack, was subsequently convicted and jailed for nine months. Li was grilled by Hong Kong’s legislators for the security breach and the trading suspension. After the hacking attack, HKEX outlined a HK$2 billion budget to bolster its information technology platform and trading system.

The HKEX should upgrade its cybersecurity defences, especially at a time when Hong Kong had witnessed three months of unprecedented civic unrest and public discord, said Christopher Cheung Wah-fung, a local legislator who represents the city’s brokers.

“Amid the sensitive timing, any problem with the HKEX’s trading systems or its website will create a lot of speculation and panic,” said Cheung, the chairman of Christfund Securities who remembers the 2011 cyberattack. “The HKEX needs to safeguard its system to prevent any problem to happen again.”

Yesterday’s unprecedented suspension of derivatives trading — the first since 2000 — was unrelated to the cyberattack on the website, because the trading platform used was a closed system that is not readily accessible to the public.

“The derivative market suspension was related to a software bug. We switched to the backup system but there was also a software bug,” Li said, declining to divulge the vendor’s details. “We had no choice but to suspend trading of all futures and options contracts from 2pm on Thursday. The trading has resumed to normal this morning after we return to use the version of the software without the bug.”

The combination of outages also raises questions about the HKEX’s ambition to transform itself into a technology company specialising in automated systems and big data analysis, part of Li’s three-year transformation programme to reimagine the bourse as a global financial marketplace.

Altogether, the exchange has spent HK$3 billion on information technology over the past six years, to upgrade the efficiency and security of its trading systems, Li said.

“Overseas markets such as the London Stock Exchange, Chicago Commodities Exchange also experience technical problems, so HKEX is not alone in experiencing this technical problem,” said Gordon Tsui Luen-on, chairman of the Hong Kong Securities Association. “There is concern of whether the HKEX is responding to market participants in a timely manner on software security issue, crisis management. Overall, such trading suspension may not greatly affect Hong Kong image, but more importantly, the execution of the contingency plan.”