Incident Of The Week: HSBC Bank Alerts U.S. Customers of Data Breach

14,000 Customers’ Data Estimated To Be Compromised

Esther Shein

An estimated 14,000 U.S. customers of London-based HSBC bank may have had their personal data compromised – although the bank says no signs of fraud have been detected so far.

The data breach at the world’s seventh largest bank and the largest in Europe appears to have occurred between Oct. 4 to Oct. 14, HSBC said in a notice of a data breach it filed with the office of California’s state attorney general. Some of the data breach victims reside in California.

Once it became aware of the breach, the bank “suspended online access to prevent further unauthorized entry” to affected accounts, HSBC said.

"The information that may have been accessed includes your full name, mailing address, phone number, email address, date of birth, account numbers, account types, account balances, transaction history, payee account information and statement history where available," HSBC said in its data breach notification.

Although the bank declined to specify the exact number of customers impacted, it said the figure was less than one percent, The Telegraph reported. HSBC has about 1.4 million accounts in the U.S.

The bank offered customers a complimentary one-year subscription to a credit monitoring and identity theft protection service “out of an abundance of caution.”

Since the data breach was discovered, the bank said it has enhanced its authentication process for HSBC Personal Internet Banking, “adding an extra layer of security,” according to its notification.

HSBC also apologized to customers “for this inconvenience,” and said it “takes this very seriously and the security of your information is very important to us.”

The bank didn’t supply any information on whether its data breach investigation is continuing and any other measures it may be taking. Alan Woodward, a professor of computer security at the University of Surrey in England, told the BBC that the breach has the characteristics of a “credential stuffing attack.”

This type of attack is when criminals taking usernames, passwords or other personal data that has been stolen or leaked and uses it to access a user's account with other sites or services.