HSBC became a target in October. The bank confirms it suffered a data breach whereby account details of some of their online customers was exposed.
HSBC believes the perpetrators carried out the attacks in October 4, 2018 and October 14, 2018. Fortunately only a small amount of customers were affected, reportedly less than 1%. For those affected, they had the following information stolen: full name, mailing address, date of birth, phone number, email address, account numbers, account types, account balances, transaction history, payee account information, and statement history where available.
As a safety measure, affected accounts were suspended online to guard against further unauthorized entry. Impacted user received calls/emails where they were prompted to change their banking details before accessing their accounts.
American Banker was able to talk with Rob Sherman, U.S. head of media relations for the bank, who said, “HSBC regrets this incident, and we take our responsibility for protecting our customers very seriously.” He added, “We responded to this incident by fortifying our log-on and authentication processes, and implemented additional layers of security for digital and mobile access to all personal and business banking accounts. We have notified those customers whose accounts may have experienced unauthorized access, and are offering them one year of credit monitoring and identify theft protection service.”
Rob Sherman went ahead to say that the technique used was Credential Stuffing, which is a cyberattack technique where stolen account credentials (often lists of usernames/email addresses/ passwords) are used to gain unauthorized access to other user accounts. Basically, this technique involves cybercriminals stealing credentials from other sites and them trying them out on a banking site, which in this case, was HSBC. Because many people use same credentials on multiple sites, this attack method is very likely to work.
“We apologize for this inconvenience. HSBC takes this very seriously and the security of your information is very important to us,” are the written words by the bank in a statement. The statement also had some precautionary information, which doesn’t only apply to HSBC customers, but to the online banking community at large:
– Online account owners should monitor their account transactions for any unauthorized activity and contact their bank immediately if any is noticed.
– Fraud alerts should be placed on credit files, which tells creditors to contact the account owner before they open any new accounts or change existing accounts.
– Periodically obtain and review your credit reports for any information relating to fraudulent transactions to help you spot problems and address them quickly.
– Contact the police if you find any suspicious activity on your credit reports or suspect your personal information is being misused.