Bank of America Corp., whose website has been down sporadically since Sept. 30, says the problem stemmed from technical hiccups, not a hack attack.
David Owen, BofA senior vice president and head of online and mobile banking, says the shutdown arose from a convergence of three events.
The events include a spike in end of the month traffic related to payday transactions, government disbursements, and end of the quarter activity. That was coupled with upgrades to its online banking site and the migration of a set of consumers from the older platform to a newer online banking system.
"It is nothing we haven't managed before, but these are peak times of business," Owen says.
Owen says the bank’s track record for systems availability and customer fulfillment is over 99.99 percent.
Industry experts disagreed sharply.
"Bank of America is becoming too big to fail and too big to manage," says Avivah Litan, vice president and distinguished analyst for Gartner Inc.
The nearly weeklong failure points to far larger problems for the bank, which include managing a large and disparate IT team that was likely having difficulty communicating with each other about the upgrades, which had to happen first internally in a duplicate technical environment, Litan says.
Litan says BofA likely has thousands of IT workers involved in the upgrade.
"It would be easy for them to trip on each other, and the release of the new code can act as a trip wire, which has a cascading effect," Litan says.
Earlier in the week observers postulated that BofA was shut down by a distributed denial of service attack in retaliation for a $5 fee the bank announced it would impose on many of its debit card accounts.
Such attacks occur when a website is bombarded with millions of bogus requests usually from a botnet army of zombie computers hijacked by hackers.
Distributed denial of service attacks shut down the websites of Mastercard Inc., Visa Inc., and Paypal Inc. as retribution from hackers who blamed those companies for cutting off the flow of funds to the whistleblower site WikiLeaks earlier this year.
But no one has stepped forward to claim responsibility for the BofA attacks, says Julie Conroy McNelley, a senior analyst with Aite Group.
"If this was a really bad IT migration [BofA is] going to be dissecting this and learning from it to make sure this never happens again," McNelley says.
McNelley says technical problems similarly caused multi-day shutdown and service issues for JPMorgan Chase & Co.'s site for credit card customers in late 2010.
Owen says the shutdown was not the result of an attack. He says that within minutes, BofA began working with a team of internal and external experts, as well as law enforcement officials to try to determine its cause.
"We did not have an outage, and we were never down during this time but we had a performance issue from degraded service and slowed service," Owen says.
Owen says that by end of day on Oct. 6 the site was almost 100% operational. Bank of America is not yet ready to proclaim "victory," he notes, adding that the bank is assessing the situation day by day.
"We take this very seriously, this not the experience that our customers expect, and we have not met our customers' expectations," Owen says. "We are 110% focused on making it right to our customers."
Litan says that online banking systems need to be treated as mission-critical, much the same way air traffic systems and others are.
"This would not be happening in a trading system," Litan says.
