HSBC Bank Alerts US Customers to Data Breach'Unauthorized Entry' to Some Accounts Exposes Account Details and Statements
HSBC Bank is warning some of its U.S. customers that their personal data was compromised in a breach, although it says it's detected no signs of fraud.
See Also: The Global State of Online Digital Trust
The data breach affects only the U.S. operations of London-based HSBC, which is the world's seventh largest bank and the biggest in Europe.
HSBC says the breach appeared to run from Oct. 4 to Oct. 14. After spotting the breach, the bank says in a notification announcement, it "suspended online access to prevent further unauthorized entry" to affected accounts.
"The information that may have been accessed includes your full name, mailing address, phone number, email address, date of birth, account numbers, account types, account balances, transaction history, payee account information and statement history where available," HSBC says in its data breach notification.
At least some of data breach victims reside in California; HSBC filed with the office of California's state attorney general a copy of the notice of a data breach, dated Nov. 2, that it's been sending to state residents, as it's legally required to do. HSBC's data breach notice filing was first reported by databreaches.net on Monday.
14,000 Customers May Be Affected
An HSBC spokeswoman tells Information Security Media Group that less than 1 percent of HSBC's U.S. customers were affected by the data breach.
The bank declined to quantify how many U.S. customers it has. But The Telegraph reports that HSBC manages about 1.4 million U.S. accounts, meaning 14,000 customers may have been affected.
"HSBC regrets this incident, and we take our responsibility for protecting our customers very seriously," the bank says in a statement sent to ISMG.
"We responded to this incident by fortifying our log-on and authentication processes, and implemented additional layers of security for digital and mobile access to all personal and business banking accounts," the statement notes. "We have notified those customers whose accounts may have experienced unauthorized access and are offering them one year of credit monitoring and identify theft protection service."
HSBC's data breach notification to victims also notes: "You may have received a call or email from us so we could help you change your online banking credentials and access your account."
The bank declined to comment about whether its data breach investigation is continuing and what additional resources it may have brought to bear.
"It is clearly still investigating what happened whilst taking the actions necessary to protect customers and advise regulators," Alan Woodward, a professor of computer security at the University of Surrey, tells the BBC. "There's a lot more information we've yet to see, which I hope HSBC makes public when it has it.
Suspected: Credential-Stuffing Attack
While HSBC has released scant details, Woodward says this breach has all of the hallmarks of a "credential stuffing" attack. Such attacks involve criminals taking usernames, passwords or other personal data that has been stolen or leaked and using it to access a user's account with other sites or services. Millions of such leaked credentials have come to light.
Anti-fraud firm Shape Security tells ISMG that it tracks 232 million credential stuffing account takeover attempts launched against financial services firms daily, noting that about 1 in 2,000 of these are successful.
Shape Security estimates that in 2017, the U.S. consumer banking sector lost nearly $50 million per day to credential stuffing attacks. It notes that hotels, airlines and retail sector organizations are also at risk from such attacks.
The best defense against credential stuffing attacks is for users to never reuse a password on more than one site. Unfortunately, many users do reuse their credentials.
"This is the underlying problem: People have said: 'Hey, I have a favorite password, it's my cat's name and this is the year that it was born; this is fantastic and I'm going to use it everywhere,'" password security expert Troy Hunt, who runs the free Have I Been Pwned breach notification site, told ISMG earlier this year (see: Credential Stuffing Attacks: How to Combat Reused Passwords).
But if the credential combination works on another site, then the user's account and data can be put at risk, and the website B, which isn't at fault, may be blamed for the unauthorized access.
"This website B didn't necessarily do anything wrong, but now they've got to deal with the risk of ... an attacker logging in with a victim's credentials," Hunt said. "That's a really hard problem."
To help, Hunt this year introduced a free Pwned Passwords service, which sites can use to review a user's credentials and see if they've already been used in previous breaches that have come to light.
HSBC: Prior Breaches, Disruptions
HSBC has suffered other data breaches and online attacks. Here's a timeline:
- July 2009: The Financial Services Authority fined three HSBC firms a total of £3 million after a string of problems, including losing an unencrypted disc containing customers' personal details, which was lost, as well as leaving such information lying around offices.
- January 2010: HSBC said that a former employee had stolen information pertaining to up to 24,000 clients' accounts in Switzerland, which he turned over to French tax authorities.
- October 2012: Access to customer accounts was disrupted by distributed denial-of-service attacks launched by Izz ad-Din al-Qassam Cyber Fighters, a group that U.S. intelligence officials have said was a cover for an Iranian government campaign.
- March 2015: HSBC Finance in the U.S. discovered a data breach involving mortgage data that appeared to have begun in 2014.
- January 2016: HSBC repelled fresh DDoS attacks, but its mitigation efforts left some customers unable to access their accounts (see DDoS Attack Slams HSBC).
- June 2016: HSBC faced repeat DDoS attacks, with its mitigations leading to repeat account access disruptions for some customers.
This story has been updated to correct the potential number of data breach victims.