HSBC suffers data breach on small number of online accounts

A small number of HSBC online banking customers — less than 1% of accounts — were breached last month by unauthorized users, the bank acknowledged Tuesday.

HSBC sent a disclosure notice Nov. 2 to customers saying the breaches occurred between Oct. 4 and Oct. 14 of this year. The bank suspended all affected accounts.

Customer information that may have been accessed includes full names, mailing addresses, phone numbers, email addresses, dates of birth, account numbers, account types, account balances, transaction history, payee account information, and statement history.

"HSBC regrets this incident, and we take our responsibility for protecting our customers very seriously," said Rob Sherman, U.S. head of media relations for the bank, told American Banker on Tuesday. "We responded to this incident by fortifying our log-on and authentication processes, and implemented additional layers of security for digital and mobile access to all personal and business banking accounts. We have notified those customers whose accounts may have experienced unauthorized access, and are offering them one year of credit monitoring and identify theft protection service."

HSBC headquarters
The logo for HSBC Holdings Plc is displayed on the bank's headquarters building in Hong Kong, China, on Sunday, July 30, 2017. HSBC is set to announce plans to buy back $2 billion of shares when it unveils second-quarter results on July 31, the Sunday Times reported, without saying where it got the information. Photographer: Anthony Kwan/Bloomberg
Anthony Kwan/Bloomberg

The breach may have occurred through a technique called "credential stuffing," in which hackers who have stolen passwords for other websites try them out on an online banking site, under the assumption that people use the same passwords everywhere they go on the web. It's a pretty safe assumption: According to a survey of 1,000 people conducted last year by Keeper Security, more than 80% of U.S. adults reuse the same password across multiple accounts.

“We are reminding our customers to protect access to their banking accounts by regularly changing their passwords, and by using unique passwords they are not using elsewhere, including on any social media accounts,” Sherman said.

When it detected the breach, HSBC suspended online access for affected accounts and required impacted customers to contact it. The bank began requiring online banking customers to enter additional pieces of personal info along with user name and password when logging in.

One way the bank is enhancing authentication for online banking is through the use of Captcha, which uses visual images and a challenge-response test to determine if a log-on attempt is being made by a human.

In 2015, HSBC notified mortgage customers of a data breach that had taken place the year before.

Personal information about mortgage accounts was “inadvertently made accessible via the Internet,” including customers’ names, Social Security numbers, account numbers, old account information and possibly some phone numbers, the bank said at that time. At that time, HSBC said it strengthened online security and offered customers a free one-year subscription to Identity Guard.

The current breach demonstrates an unusually quick reporting time. The customer letter came out 19 days after the breach occurred. Often in data breaches, disclosure comes several months after an attack. This may be a result of regulatory pressure. Europe's General Data Protection Regulation requires companies to disclose personal data breaches to regulators and affected customers within 72 hours of becoming aware of them.

For reprint and licensing requests for this article, click here.
Cyber security Data breaches Online banking Identity verification HSBC
MORE FROM AMERICAN BANKER