HSBC data breach affects U.S. customers | Consumers warned to be vigilant as trust is “becoming more fragile” HSBC has confirmed a data breach occurred in October, resulting in the hacking of a number of U.S. customer accounts. The bank said that the perpetrators may have accessed information including account numbers and balances, statement and transaction histories and payee details, as well as users’ names, addresses and dates of birth. According to the BBC HSBC believes that fewer than 1% of its American clients were affected. The bank has approximately 1.4 million accounts in the U.S. So far, it said it has not seen any evidence of fraudulent activity as a result of the breach. However, there has been no details of the attack, or its precise nature.
Consumer trust “becoming more fragile”
Ian Woolley, chief revenue officer at data tracking platform Ensighten’s, criticised the extent of information accessed by hackers. He warned that it is having a negative impact on consumer trust. Woolley commented:
Look at everything that was compromised with the HSBC breach: both PII and financial history, …It’s no wonder that consumers are growing frustrated with the steady stream of data breach news these days, and their trust is becoming more fragile.
The HSBC data breach was reported to California’s Attorney General Office on November 2nd. However, the bank became aware of the unauthorised access between 4 October and 14 October. In a statement HSBC said:
HSBC regrets this incident, and we take our responsibility for protecting our customers very seriously, … We have notified those customers whose accounts may have experienced unauthorised access, and are offering them one year of credit monitoring and identify theft protection service.
It is not known whether the attackers have tried to use the data to steal customers’ savings.
What information was stolen in HSBC Data Breach?
According to the HSBC report, compromised personal details include “full name, mailing address, phone number, email address, date of birth, account numbers, account types, account balances, transaction history, payee account information, and statement history”.
How did the perpetrators gain access?
Just how the hackers managed to break in has yet to be verified. Cyber security experts suspect that a technique known as ‘credential stuffing’ was used during the HSBC data breach. Tim Callan, senior fellow at online security certificate authority Sectigo, said:
Credential stuffing attacks are an example of how broadly information theft can be exploited by sophisticated criminals. Even seemingly innocuous personal details, stolen in a context that appears to be completely devoid of risk for critical information theft, can then be repurposed to gain inappropriate login access somewhere else.
Mr Callan warned that consumers should only ever share information with online parties they know and trust. One way they can check the identity of a website operator is to look for the company’s name in the browser’s address bar, adjacent to the URL. Callan explained:
When it appears in the browser this way, you can trust that this information has been authenticated and you’re seeing the actual name of the company that operates this site.