HSBC customers hit by data breach in US business

HSBC is the latest in a long line of global names to fall victim to a data breach, this time concerning the bank’s retail business in the USA. Hackers netted account holder details, statement histories and other sensitive information, the Financial Times online reports.

 The breach took place between 4th and 14th October, HSBC said in a statement, adding that affected accounts had online access shutdown as soon as the nefarious activity was detected, and that no customers had suffered financial loss as a result.

“HSBC regrets this incident, and we take our responsibility for protecting our customers very seriously,” a spokesman for the bank said.

HSBC stated that log-in and authentication processes have since been galvanised and that a package of a year’s free credit-monitoring and identify-theft prevention services has been extended to victims.

An expert has said that the hackers may have used “credential stuffing” to get through the bank’s security systems, a technique that sees personal details harvested from elsewhere being used to obtain unauthorised access to the HSBC accounts.

Speaking on the BBC news website, Prof Alan Woodward of the University of Surrey said:

“The information made public so far by HSBC is quite limited,” said Prof Alan Woodward from the University of Surrey.

“It is clearly still investigating what happened whilst taking the actions necessary to protect customers and advise regulators.

“There’s a lot more information we’ve yet to see, which I hope HSBC makes public when it has it.”

Stephen Moore, Chief Security Stratagist at Exabeam explains:

“The most seasoned and well-resourced security teams can be easily overwhelmed by the volume of organisational alerts they receive in a day. That complexity, when combined with the inherent difficulties of detecting credential-based attacks, because the attackers are impersonating legitimate users, creates an environment that lacks control and trust.

“In this case, the security incident was likely the result of malicious actors using previously collected or breached login data to access bank accounts. To protect against these types of attacks, organisations must shift the enterprise security strategy.

“To remediate incidents involving user credentials and respond to adversaries, the key is to move fast and consider an approach that is closely aligned with monitoring user behaviour to provide the necessary visibility needed to restore trust, and react in real time, to protect user accounts.

“This should include the ability to detect, using behavioural characteristics, when events have occurred – especially when it comes to client/member/customer-facing incidents.”


The inaugural Data Protection World Forum (DPWF) will be held on November 20th & 21st 2018 at the ExCeL London which will provide a broader focus across the data protection and privacy space amidst the progressive tightening of global data protection laws.

Ahead of the end of year event, DPWF has launched a series of intensive workshops.

Further information on the DPWF and workshop details are available at: https://www.dataprotectionworldforum.com/