HSBC Confirms US Customer Data Breach
The international lender confirmed US-based customers’ accounts were compromised between 4th and 14th October 2018.
HSBC has confirmed it suffered a data breach, which has compromised US customers’ bank accounts.
The bank announced that cyber criminals could have accessed a variety of personal details, including account numbers and balances, names, addresses, dates of birth and transaction histories.
Customers believed to have been affected have been informed, the bank said in a statement.
Online accounts at the bank were breached between 4th and 14th of October this year as part of a “credential stuffing” attack.
This form of attack involves hackers using passwords taken from elsewhere – such as an account previously compromised or affected by a data breach – and attempting to use them to log in.
While this particular method often relies on customers using the same password, it can be highly effective.
HSBC said less than 1% of its customers in the US had been affected by the breach and that those believed to have been compromised will be offered credit monitoring services.
Additional steps to improve online security will also be implemented, the bank confirmed.
“HSBC regrets this incident, and we take our responsibility for protecting our customers very seriously,” a statement from the bank read.
“We have notified those customers whose accounts may have experienced unauthorised access, and are offering them one year of credit monitoring and identity theft protection service.”
Data breaches have become a recurring theme throughout 2018 so far, and consumer confidence is often affected by damaging events such as this. On this occasion, however, the fault may not lie completely with HSBC.
“Looking at the details of the breach, it looks as if the way that they think this breach occurred is through the reuse of credentials from other websites for online banking accounts,” he explained. “Meaning that the attackers may have come across the credentials in another breach and tried them on HSBC to see how many were reused.”
Anderson added: “This is not really something that HSBC could have done much about since this has been a choice made by their customers. This kind of breach should be a wake-up call to customers to craft unique credentials for online banking accounts, and to use complex passwords.”