HSBC Confirms Data Breach Of US Customers


Customers of HSBC in the United States have had their personal details including account numbers and transaction history exposed in a data breach.

Whilst the bank has made no official statement on the matter, the breach came to light after a template of the alert sent to customers was posted online by the California Attorney General’s Office.

This is not the first time that HSBC customers have had their data breached. In 2015 for example HSBC customers in America had their personal account information exposed.

Data breach

The bank said in the alert that it had become aware of online accounts being accessed by unauthorised users between 4 October and 14 October 2018.

The breach alert letter relates to HSBC Bank USA, a subsidiary of the UK-based HSBC Bank.

“When HSBC discovered your online account was impacted, we suspended online access to prevent further unauthorised entry of your account,” said the alert. “You may have received a call or email from us so we could help you change your online banking credentials and access your account. We apologize for this inconvenience. HSBC takes this very seriously and the security of your information is very important to us.”

The bank said that the information accessed may include full name, mailing address, phone number, email address, date of birth, account numbers, account types, account balances, transaction history, payee account information, and statement history.

The bank said that it has “enhanced our authentication process for HSBC Personal Internet Banking” in order to add an extra layer of security.

“Out of an abundance of caution and at our expense, HSBC is offering you a complimentary year subscription to Identity Guard, a credit monitoring and identity theft protection service,” said the bank.

The BBC reported that it understands the bank believes that fewer than 1 percent of its American clients were affected.

Expert take

One expert lamented the breach but said the financial industry has been doing a lot to ramp up its protection.

“This is simply the latest in a long line of breaches indicating that we as an industry have room for improvement in how we handle and protect sensitive data,” said Corin Imai, senior security adviser at DomainTools.

“Financial institutions have been making large strides in protecting customer data since it is among the most valuable data to steal, and potentially the most damaging type of PII to be exposed,” said Imai. “It appears that HSBC is taking the proper steps in notification and handling of impacted customers.”

Another expert said that firms need to look beyond just securing the network perimeter and examine internal connectivity vulnerabilities.

“This highlights that every company is vulnerable to a breach and there’s a constant flow of attacks from the endpoint that are leading to successful theft,” said Rusty Carter, VP of product management at Arxan Technologies.

“Companies need to treat the web and the browser application itself as a critical access point for enterprise security,” said Carter. “Many companies stop at the network perimeter and are subsequently breached by their own APIs browser/web apps and mobile applications that have been compromised.”

“Consumers need to increase their vigilance as well,” he added. “Reused passwords lost in one breach then become a free ticket to your other accounts. Consumers should employ unique passwords for every site and service they use and change them at least once a year (unless there’s a breach then of course sooner).”

Meanwhile Ilia Kolochenko, CEO and founder of web security company High-Tech Bridge predicted that HSBC US would see lawsuits as a result of the breach.

“Unless the scope, circumstances and total number of affected customers become known, it would be premature to make any categorical conclusions,” said Kolochenko.

“Allegedly, only US customers are affected, thus it may indicate that the breach occurred via an authorized third-party or careless employee,” he said. “Data leaks caused by negligent third-party providers – become more and more frequent these days. An abandoned US-based web system with a limited set of customers’ data – can also be among the possible attack vectors. Often large companies deploy demo systems to production for legitimate testing purposes, consequentially forgetting about them, leaving the unprotected systems and data externally accessible.”

“The bank’s reaction is relatively prompt, proposed remediation seems to be technically adequate for the incident,” said Kolochenko. “This will, however, unlikely exonerate them from private lawsuits and, perhaps, even a class action by disgruntled customers and privacy watchdogs.”

Do you know all about security? Try our quiz!