Personal & banking info of HSBC customers stolen in major data breach
7 November 2018
HSBC Bank announced yesterday it suffered an incident of data breach in October that involved unnamed hackers gaining access to customers’ account details such as bank statements and transaction history as well as personal information of customers such as names, dates of birth, and home addresses.
In a regulatory filing with authorities in the state of California, HSBC added that it had notified all the affected customers about the breach and has offered such customers one year of credit monitoring and identify theft protection service.
Personal and banking information affected
“HSBC became aware of online accounts being accessed by unauthorised users between October 4, 2018 and October 14, 2018. When HSBC discovered your online account was impacted, we suspended online access to prevent further unauthorised entry of your account,” the bank said in a letter to affected customers.
“The information that may have been accessed includes your full name, mailing address, phone number, email address, date of birth, account numbers, account types, account balances, transaction history, payee account information, and statement history where available.
“HSBC regrets this incident, and we take our responsibility for protecting our customers very seriously. We have notified those customers whose accounts may have experienced unauthorised access, and are offering them one year of credit monitoring and identity theft protection service,” HSBC said in the regulatory filing.
According to BBC, less than 1 percent of HSBC’s U.S. customers may have been affected by the breach but it is possible that the breach was not limited to the state of California. However, the bank is yet to announce the exact number of customers who were affected, even though it did state that it has added a layer of protection to its customer accounts to prevent data breaches in future.
Commenting on the breach suffered by HSBC in the U.S. between 4th and 14th October, Corin Imai, senior security adviser at DomainTools, said that this is simply the latest in a long line of breaches indicating that we as an industry have room for improvement in how we handle and protect sensitive data.
“Financial institutions have been making large strides in protecting customer data since it is among the most valuable data to steal, and potentially the most damaging type of PII to be exposed. It appears that HSBC is taking the proper steps in notification and handling of impacted customers,” he added.
Data breach a consequence of human error?
Ilia Kolochenko, CEO and founder of High-Tech Bridge, said that unless the scope, circumstances and the total number of affected customers become known, it would be premature to make any categorical conclusions. However, considering that only U.S. customers were affected, Kolochenko believes that the breach occurred via an authorised third-party or careless employee.
“Data leaks caused by negligent third-party providers – become more and more frequent these days. An abandoned US-based web system with a limited set of customers’ data – can also be among the possible attack vectors. Often large companies deploy demo systems to production for legitimate testing purposes, consequentially forgetting about them, leaving the unprotected systems and data externally accessible.
“The bank’s reaction is relatively prompt, proposed remediation seems to be technically adequate for the incident. This will, however, unlikely exonerate them from private lawsuits and, perhaps, even a class action by disgruntled customers and privacy watchdogs,” he observed.