1% of HSBC bank customers affected by the data breach

HSBC bank USA announces about the data breach exposing customers' account numbers, balances and other information

Data breach in HSBC bank financial services affected customers in the US.

HSBC has just released a report announcing unauthorized access to the company's American customers' accounts.^[1] The act was initiated between October 4th and 14th. While the official statement does not specify how did hackers gain access to the bank's clients' data, it is already known that 1% of American customers were affected. Having in mind that the USA branch has around 1.4m accounts, that makes a generous number of victims.

The incident is believed to be related to the personal details bought in the black market. HSBC has already enhanced their authentication process. However, it is already known that hackers have exposed data like:

• account numbers;
• account balances;
• account types;
• date of birth;
• email addresses;
• full names;
• mailing addresses;
• phone numbers;
• statement history;
• transaction history;
• etc.

As HSBC says, online access was suspended to avoid further infiltration. The affected people were contacted at once and offered one-year subscription, credit monitoring as well as identity theft^[2] protection service. At the moment, the bank is offering help for all of the affected customers and is actively working on adding an extra layer of security:

We apologize for this inconvenience. HSBC takes this very seriously and the security of your information is very important to us.

The unauthorized access was initiated by using credential stuffing

It seems that the incident was implemented by using credential stuffing^[3] which is considered one of the most popular techniques to take over user accounts. In this case, logins are stolen from other databases in separate data breaches and then reused to gain unauthorized access to the targeted system. Then, hackers use so-called account checkers to check thousands of stolen logins automatically. If the login is successful, they take over the account and harvest personal information which is available.

Not the most significant data breach in the financial sector

This is not the first time the financial institution is suffering from the data breach. In 2014, JPMorgan suffered from the breach which is considered the largest customer data theft in history. It is already known that the breach exposed names, addresses, phone numbers and emails of more than 100 million customers.^[4]

Another hack that should be mentioned was related to the top accountancy firm called Deloitte. In this case, one of the biggest private firms in the USA was found to be hit in March 2017.^[5] Hackers managed to get a free access to all areas and connected to the confidential information, e.g. usernames, passwords, IP addresses, health information, and business data.

It is clear that the security in the financial sector has never been as important as it is now. Organizations need to take further steps to reduce their digital risks and regulate their standards. There is a massive need of investing in solutions that could help companies protect their databases and financial systems. Taking into account that the Christmas period has always been attracting hackers, business and customers should be very attentive not to fall for a fake email, deal or promotion.