HSBC confirmed today it suffered a data breach last month affecting about one percent of its US accounts and exposing an extensive amount of customer information.
In a data breach notification letter sent to the California attorney general’s office, HSBC said that between 4-14 October the accounts were accessed by an unauthorised users. The information possibly compromised included full name, mailing address, phone number, email address, date of birth, account numbers, account types, account balances, transaction history, payee account information, and statement history where available.
HSBC did not say exactly how many people were affected by this breach, but boasts of having 38 million customers worldwide on its website.
"We responded to this incident by fortifying our log-on and authentication processes, and implemented additional layers of security for digital and mobile access to all personal and business banking accounts. We have notified those customers whose accounts may have experienced unauthorised access, and are offering them one year of credit monitoring and identity theft protection service," Rob Sherman, US head of media relations, HSBC External Affairs told SC Media
The bank is also recommending customers protect access to their banking accounts by regularly changing and using strong passwords and to monitor their accounts for unauthorised activity.
Corin Imai, senior security adviser at DomainTools said: "This is simply the latest in a long line of breaches indicating that we as an industry have room for improvement in how we handle and protect sensitive data. Financial institutions have been making large strides in protecting customer data since it is among the most valuable data to steal, and potentially the most damaging type of PII to be exposed. It appears that HSBC is taking the proper steps in notification and handling of impacted customers."
Ilia Kolochenko, CEO and founder of web security company High-Tech Bridge commneted: "Unless the scope, circumstances and total number of affected customers become known, it would be premature to make any categorical conclusions.
"Allegedly, only US customers are affected, thus it may indicate that the breach occurred via an authorised third-party or careless employee.
"Data leaks caused by negligent third-party providers - become more and more frequent these days. An abandoned US-based web system with a limited set of customers' data - can also be among the possible attack vectors. Often large companies deploy demo systems to production for legitimate testing purposes, consequentially forgetting about them, leaving the unprotected systems and data externally accessible."
Rusty Carter, Vice President of Product Management at Arxan Technologies commented: "This highlights that every company is vulnerable to a breach and there’s a constant flow of attacks from the endpoint that are leading to successful theft.
"Companies need to treat the web and the browser application itself as a critical access point for enterprise security. Many companies stop at the network perimeter and are subsequently breached by their own APIs browser/web apps and mobile applications that have been compromised."
This article was originally published on SC Media US.