HSBC has been hit by an insider threat with reports that information of 24,000 HSBC customers with Swiss accounts have been stolen.
HSBC has said that a former IT employee of HSBC's Swiss subsidiary Private Bank (Suisse) SA, identified by French authorities as Herve Falciani, obtained the information between late 2006 and early 2007.
The accounts, held by individuals worldwide, were all opened before October 2006 and some 9,000 have since been closed, according to the Associated Press.
The bank said it has contacted the affected customers and does not believe the data has or will allow any unauthorised person to access the affected accounts. The stolen information only affects accounts in Switzerland with the exception of its former subsidiary HSBC Guyerzeller Bank.
Alexandre Zeller, chief executive of the Swiss subsidiary, said: “We deeply regret this situation and unreservedly apologise to our clients for this threat to their privacy. We are determined to protect our clients' interests and are taking every necessary measure to do so, actively contacting all our clients with Swiss-based accounts."
The Swiss Financial Market Supervisory Authority (FINMA) has said that it has opened an investigation into whether HSBC failed to meet legal requirements to prevent data theft.
Steve Moyle, founder and CTO of Secerno, said: “From a security standpoint there are a number of things that make this newsworthy. First, the breach was allegedly committed by an insider, and insider theft is among the greatest dangers to financial data.
“Second, it appears that the suspect was attempting to sell the data, with speculation that he was offering the information to countries to identify tax evaders. Third, there is the numbers question. How could HSBC identify ‘fewer than ten' affected and then have a breach that in reality numbered in the tens of thousands?
“Finally, there is the question about sovereignty. France is one country that has access to some of the data. It has promised to turn the data over to Switzerland but the plain fact is there is no clear-cut law that would prohibit France from using the data against citizens who were using Switzerland to avoid taxation. With truly international data breaches, how long will it take to get truly international legislation?”
Udi Mokady, Cyber-Ark's president and CEO, said: “We're surprised as the data theft appears to be down to a lack of privileged account controls at the bank. Here is yet another powerful example of the significant risk of unmanaged and unmonitored privileged accounts.
“We are seeing that organisations now get the message about the high risk of not controlling their privileged accounts and super users, not recording their privileged sessions and that there are proven processes, procedures and products available to help address exactly this type of privileged identity risk.”