HSBC Notifies US Customers Of Data Breach

Bad news if you are a US mortgage customer of HSBC Financial Corp, after the bank informed customers of a data breach.

The breach apparently began towards the end of 2014 and was only discovered in 27 March 2015.

Serious Breach

The data breach sounds like a potentially serious one. Customers have reportedly had their personal account information compromised, and law enforcement officials have been informed. Compromised information includes names, account numbers (including old account numbers), Social Security numbers, and even telephone numbers.

“HSBC Financial Corporation notified law enforcement and credit reporting agencies, and has offered those affected one year of complimentary services with Identity Guard,” according to Data Breaches.net. “The Identity Guard service also monitors chat rooms and other sites to detect if any Social Security number, credit card number or bank account number is being posted.”

“This matter only affects some mortgage customers of HSBC Finance Corp in the US,” HSBC confirmed to TechWeekEurope.

News of the breach first emerged in a notification to the New Hampshire Attorney General’s Office. It is thought that 685 residents of New Hampshire have been affected.

The breach affected customers of the firm’s subsidiaries, including Beneficial Financial I, Inc., Beneficial Homeowner Service Corporation, Beneficial Maine, Inc., Beneficial Massachusetts, Inc., Beneficial New Hampshire, Inc., Household Finance Corporation II, Household Finance Corporation of Alabama, Household Financial Center, Inc., and Household Realty Corporation.

“HSBC takes this very seriously and deeply regrets that this incident occurred,” said the bank in its notification.

It did not reveal how the breach occurred, other than “certain personal information about customer mortgage accounts was inadvertently made accessible via the Internet.”

Expert Take

The breach on the surface sounds potentially serious, and it is not clear at this stage whether the breach was down to human error or outside forces.

Meanwhile a number of security experts have voiced their thoughts regarding the breach.

“With so many of the banks subsidiaries being named, the number of those affected will likely be quite substantial,” said Troy Gill, manager security research, Appriver. “Since HSBC does not appear to be claiming that they suffered a breach by hackers it seems that they may have inadvertently stored the data in a manner that made it accessible on the internet.

“In this case it is the data could have potentially been compromised by countless groups/individuals to be used for nefarious purposes,” said Gill. “With personal information including social security numbers being involved, this could have a severe impact for their account holders.

“This is an example of breach notification laws in action, for both good and bad,” said Tim Erlin, director security and risk at Tripwire. “We’re finding out about this breach because HSBC has been required to notify residents of New Hampshire who were affected, but the notification laws vary across states and countries so that the extent and impact is obscured.”

“The notification describes data ‘inadvertently made accessible via the Internet,’ which might simply mean a spreadsheet shared where it shouldn’t have been,” said Erlin. “It could be that this incident really is contained to 685 residents of New Hampshire, and was the result of simple human error.”

“The issue at hand is that customer files (or a single file containing data for multiple customers) was mistakenly transferred to a web server available on the WWW,” said Amichai Shulman, CTO Imperva. “That file (or those files) where indexed by Google (or some other search engine) and thus became available to everyone. My guess is that they became aware of it through someone who did some Google snooping and incidentally bumped into this file.”

Are you a security pro? Try our quiz!