HSBC Bank, the seventh-largest banking and financial services organizations in the world and the largest in Europe, has been breached by hackers. The bank is now sending letters to an undisclosed number of customers notifying them that hackers have their data.
In a notification template submitted to the California Attorney General’s Office, HSBC said it became aware that online accounts were accessed by unauthorized parties sometime between October 4 and October 14, 2018.
“When HSBC discovered your online account was impacted, we suspended online access to prevent further unauthorized entry of your account,” the notice reads. “You may have received a call or email from us so we could help you change your online banking credentials and access your account. We apologize for this inconvenience. HSBC takes this very seriously and the security of your information is very important to us.”
HSBC adds (emphasis ours), “The information that may have been accessed includes your full name, mailing address, phone number, email address, date of birth, account numbers, account types, account balances, transaction history, payee account information, and statement history where available.”
The bank provides no details of the breach, such as how the attackers managed to infiltrate its systems and then exfiltrate customer data. It does say, however, that its first action after containing the breach was to enhance the authentication process for HSBC Personal Internet Banking. This suggests the breach may have involved credential stuffing (where large numbers of previously-breached credentials are “stuffed” into login forms until they are potentially matched to an existing account), or a vulnerability in the bank’s two-factor-authentication (2FA) process.
On a slightly more positive note, customers are told HSBC is offering a complementary year of credit card monitoring via Identity Guard, which monitors and protects credit data, but also alerts users to activities that could indicate identity theft. Customers must sign up for the freebie within 90 days, or they won’t be eligible after that window is closed.
According to Wikipedia, HSBC’s assets total US $2.374 trillion, as of December 2016, with annual revenue in the tens of billions. Last year alone, it raked in $51.445 billion, or 45.1 billion euros. Considering the sheer number of potential European clients and the amount of personally identifiable information compromised, HSBC stands to incur a stinging fine under the recently introduced General Data Protection Regulation. The GDPR’s penalties for such data breaches are calculated at up to 20 million euros, or 4% of the company’s annual turnover, whichever is greater. Needless to says, EU legislators won’t have too hard of a time making that calculation.