Hong Kong Stock Exchange says its website was hacked while it halted derivatives trading to fix unrelated software bug

Enoch Yiu

Hong Kong’s stock exchange website was hacked yesterday, while the bourse had halted derivatives transactions to fix an unrelated software bug, as the operator faced a combination of technical outages at a time of heightened sensitivity about the city’s role as Asia’s third-largest financial marketplace.

The open-access website of the Hong Kong Exchanges and Clearing Limited (HKEX) was subject to a distributed denial-of service attack (DDoS), where hackers overwhelmed the network with massive incoming traffic, which slowed down and disrupted its ability to display exchange prices and financial data, said the bourse’s chief executive officer Charles Li Xiaojia.

On the same day, a technical bug was found in a vendor’s trading software for derivative financial products, which forced the exchange to suspend the trading of futures and options yesterday afternoon, Li said. Trading resumed today after the exchange returned to using an older version of the software without the bug, he said.

“We will continue to invest more to safeguard and improve” the information and technical infrastructure at the exchange, Li said at a press conference. “We hope the public has the confidence in the robustness of our system.”

Charles Li Xiaojia, Chief Executive of Hong Kong Exchanges and Clearing (HKEX), at the Hong Kong Exchanges and Clearing Market (HKEX) Annual General Meeting in Central on 24 April 2019. Photo: SCMP / Jonathan Wong

Traders rushed back to the derivatives market today when transactions resumed, with 986,197 contracts, including 171,214 contracts on the Hang Seng Index futures, changing hands as of 6:30pm, in line with the daily average volume in August.

Brokers had complained yesterday that they could not enter their orders into the exchange’s derivatives trading platform, where financial products such as futures and options derived from underlying indexes and assets can be bought or sold. A total of 60,070 contracts were traded yesterday before trading was suspended.

HKEX shares, which are themselves traded on the exchange, rose by as much as 3.1 per cent before closing 0.9 per cent higher at HK$249.40, recovering from yesterday’s 1.9 per cent loss after derivatives trading was stopped.

This wasn’t the first time that hackers had taken aim at the HKEX’s website. In August 2011, the HKEX website was subject to a similar DDoS attack, forcing the exchange to suspend trading seven stocks with HK$1.5 trillion in combined market value, including HSBC Holdings, the largest of the city’s three currency note issuing banks. Shares of Hong Kong’s hometown carrier Cathay Pacific Airways and the exchange itself were also halted then.

Businessman Tse Man-lai, who was behind the 2011 cyberattack, was subsequently convicted and jailed for nine months. Li was grilled by Hong Kong’s legislators for the security breach and the trading suspension. After the hacking attack, HKEX outlined a HK$2 billion budget to bolster its information technology platform and trading system.

The HKEX should upgrade its cybersecurity defences, especially at a time when Hong Kong had witnessed three months of unprecedented civic unrest and public discord, said Christopher Cheung Wah-fung, a local legislator who represents the city’s brokers.

“Amid the sensitive timing, any problem with the HKEX’s trading systems or its website will create a lot of speculation and panic,” said Cheung, the chairman of Christfund Securities who remembers the 2011 cyberattack. “The HKEX needs to safeguard its system to prevent any problem to happen again.”

SCMP Graphics

Yesterday’s unprecedented suspension of derivatives trading - the first since 2000 - was unrelated to the cyberattack on the website, because the trading platform used was a closed system that is not readily accessible to the public.

“The derivative market suspension was related to a software bug. We switched to the backup system but there was also a software bug,” Li said. “We had no choice but to suspend trading of all futures and options contracts from 2pm on Thursday. The trading has resumed to normal this morning after we return to use the version of the software without the bug.”

HKEX’s derivatives exchange uses the Genium INET trading system developed by Nasdaq, first installed in Hong Kong in October 2013. The system was upgraded to Genium’s new platform in May, with a two-week “stabilisation period” and a fallback plan in case of “irreparable incidents,” according to the exchange’s information. Nasdaq officials could not be reached to comment.

The combination of outages also raises questions about the HKEX’s ambition to transform itself into a technology company specialising in automated systems and big data analysis, part of Li’s three-year transformation programme to reimagine the bourse as a global financial marketplace.

Altogether, the exchange has spent HK$3 billion on information technology over the past six years to upgrade the efficiency and security of its trading systems, Li said.

“Overseas markets such as the London Stock Exchange, Chicago Mercantile Exchange also experience technical problems, so HKEX is not alone in experiencing this technical problem,” said Gordon Tsui Luen-on, chairman of the Hong Kong Securities Association. “There is concern of whether the HKEX is responding to market participants in a timely manner on software security issue, crisis management. Overall, such trading suspension may not greatly affect Hong Kong image, but more importantly, the execution of the contingency plan.”

More from South China Morning Post:

This article Hong Kong Stock Exchange says its website was hacked while it halted derivatives trading to fix unrelated software bug first appeared on South China Morning Post

For the latest news from the South China Morning Post download our mobile app. Copyright 2019.