HSBC Bank Data Breach Exposed Customer’s Account Details and More

In a data breach notification letter addressed to the California attorney general’s office, HSBC said that somewhere between 4 and 14th October, unauthorized users accessed the accounts. The information compromised possibly contains the full name, mailing address, and phone number, and email address, date of birth, account numbers, account types, account balances, transaction history, payee account information, and statement history where available.

HSBC did not say exactly how many people were affected by this breach but boasts of having 38 million customers worldwide on its website, only less than 1% of accounts — were breached

Rob Sherman, U.S. head of media relations, HSBC External Affairs told SC Media “We responded to this incident by fortifying our log-on and authentication processes, and implemented additional layers of security for digital and mobile access to all personal and business banking accounts. We have notified those customers whose accounts may have experienced unauthorized access, and are offering them one year of credit monitoring and identity theft protection service,”

The breach may have happened through a technique called “credential stuffing,” in which hackers try to hack others website or account with and try them out on online banking site, under the assumption that people use the same passwords everywhere they go on the web.

In order to prevent credential stuffing attacks, users should regularly change their passwords and use unique passwords at each site they visit.

It’s a pretty safe assumption: According to a survey of 1,000 people conducted last year by Keeper Security, more than 80% of U.S. adults reuse the same password across multiple accounts.

“We are reminding our customers to protect access to their banking accounts by regularly changing their passwords, and by using unique passwords they are not using elsewhere, including on any social media accounts,” Sherman said.

HSBC suspended online access for affected accounts when it detected the breach. It asked the impacted customers to contact it. The bank began requiring online banking customers to enter additional pieces of personal info along with username and password when logging in.

One way the bank is enhancing authentication for online banking is through the use of Captcha, which uses visual images and a challenge-response test to determine if a log-on attempt is being made by a human.

The current breach demonstrates an unusually quick reporting time. The customer letter came out 19 days after the breach occurred. Often in data breaches, disclosure comes several months after an attack. This may be a result of regulatory pressure. Europe’s General Data Protection Regulation requires companies to disclose personal data breaches to regulators and affected customers within 72 hours of becoming aware of them.