Breach of the Week: HSBC

Breach of the Week HSBC

What Happened:

HSBC bank is notifying U.S. customers of a breach that has compromised personal and financial data.  The attack occurred over a 10 day period, from October 4 to October 14.  After HSBC detected the breach, the bank announced it “suspended online access to prevent further unauthorized entry” to affected accounts.

While the bank operates internationally, a spokeswoman informed the press that the breach affected less than 1 percent of U.S. customers.  While the total number of U.S. customers is unknown, The Telegraph suggests that HSBC manages 1.4 million U.S. accounts, which translates to around 14,000 customers.

In the data breach notification, HSBC announced that the information compromised includes:

  • Full name
  • Address
  • Phone number
  • Email address
  • Date of birth
  • Account numbers
  • Account types
  • Account Balances
  • Transaction history
  • Payee account information
  • Statement history

Method of Attack:

The method of the attack is unknown; however, it is widely suspected that the breach was a “credential surfing” attack.  This type of attack is when the hacker uses stolen or leaked usernames, passwords or other personal data to access a user’s account.  This is an easy method when individuals reuse the same log-on credentials for multiple accounts.

HSBC Action:

After detecting the breach, HSBC responded by strengthening the log-on and authentication processes.  Additional layers of security for digital and mobile access to all personal and business banking accounts have been implemented.

HSBC is in contact with customers.  A data breach notification letter has been sent to victims explaining the breach.  The bank announced that it will be contacting individuals to help change online banking credentials.

Protecting Yourself:

If you were impacted by the breach, the first step is to change online banking credentials.  Be sure to use unique passwords for different sites and accounts.  If you need tips on how to protect your information and passwords, check out our blog post here!  Also, remember to watch out for fraudulent activity.