Online Banking Upgrade Contributed to Bank of America Outage

Bank of America Corp., whose website has been down sporadically since last Friday, says the problem stems from technical hiccups, not a hack attack.

David Owen, senior vice president and head of online and mobile banking for Bank of America, said the shut down arose from a convergence of three events.

The events include a spike in end of the month traffic related to payday transactions, government disbursements, and end of the quarter activity. That was coupled with the release of new code for its online banking site and the migration of a set of consumers from the older platform to a newer online banking system.

"It is nothing we haven't managed before, but these are peak times of business," Owen says.

Owen says that Bank of America's track record for systems availability and customer fulfillment is over 99.99 percent.

Industry experts disagreed sharply.

"Bank of America is becoming too big to fail and too big to manage," says Avivah Litan, vice president and distinguished analyst for Gartner Inc.

The nearly weeklong failure points to far larger problems for the bank, which include managing a large and disparate IT team that was likely having difficulty communicating with each other about the upgrades, which had to happen first internally in a duplicate technical environment, Litan says.

Litan says Bank of America likely has thousands of IT workers involved in the upgrade.

"It would be easy for them to trip on each other, and the release of the new code can act as a trip wire, which has a cascading effect," Litan says.

Earlier in the week it had been postulated that Bank of America was shut down by a distributed denial of service attack in retaliation for a $5 fee the bank announced it would impose on many of its debit card accounts.

DDOS attacks occur when a website is bombarded with millions of bogus requests usually from a botnet army of zombie computers hijacked by hackers.

DDOS attacks shut down the websites of Mastercard Inc., Visa Inc., and Paypal Inc. as retribution from hackers who blamed those companies for cutting off the flow of funds to the whistleblower site WikiLeaks earlier this year.

But no one has stepped forward to claim responsibility for the Bank of America attacks, says Julie Conroy McNelley, a senior analyst with Aite Group.

"If this was a really bad IT migration [BofA is] going to be dissecting this and learning from it to make sure this never happens again," McNelley says.

McNelley says technical problems similarly caused multi-day shutdown and service issues for JPMorgan Chase & Co.'s site for credit card customers in late 2010. 

Owen says the shutdown was not a DDOS attack. He says that within minutes, Bank of America began working with a team of internal and external experts, as well as law enforcement officials to try to determine the cause of attack.

"We did not have an outage, and we were never down during this time but we had a performance issue from degraded service and slowed service," Owen says.

Owen says that by end of day Wednesday the site was almost 100% operational. He says Bank of America is not yet ready to proclaim "victory," and that the bank is assessing the situation day by day.

"We take this very seriously, this not the experience that our customers expect, and we have not met our customers' expectations," Owen says. "We are 110% focused on making it right to our customers."

Litan says that online banking systems need to be treated as mission-critical, much the same way air traffic systems and others are.

"This would not be happening in a trading system," Litan says.

For reprint and licensing requests for this article, click here.
Bank technology
MORE FROM AMERICAN BANKER