HSBC locks US customers out of accounts after data breach

Round HSBC sign on the wall of a bank building.
(Image credit: Shutterstock)

HSBC bank has locked some of its American customers out of their online accounts following a data breach.

The bank said it became aware of online accounts being accessed by unauthorised users between 4 and 14 October and has taken action by notifying customers - a template of which has been posted by the California Attorney General's office.

"When HSBC discovered your online account was impacted, we suspended online access to prevent further unauthorized entry of your account," the notice said.

According to the bank, the information that may have been accessed is quite significant and included full names, home and email addresses, phone numbers, dates of birth, transaction history, payee information and account details such as numbers, types, balances.

"HSBC regrets this incident, and we take our responsibility for protecting our customers very seriously," a spokesman said. "We responded to this incident by fortifying our log-on and authentication processes and implemented additional layers of security for digital and mobile access to all personal and business banking accounts.

"We have notified those customers whose accounts may have experienced unauthorized access, and are offering them one year of credit monitoring and identity theft protection service."

The bank has around 1.4 million accounts in the States and so far, it said it has not seen evidence of any fraudulent activity as a result of the breach. However, the details of the attack and its exact nature have not been fully explained.

"Unless the scope, circumstances and the total number of affected customers become known, it would be premature to make any categorical conclusions," said Ilia Kolochenko, CEO and founder of web security company High-Tech Bridge. "Allegedly, only US customers are affected, thus it may indicate that the breach occurred via an authorized third-party or careless employee.

"Data leaks caused by negligent third-party providers have become more and more frequent these days. An abandoned US-based web system with a limited set of customers' data, can also be among the possible attack vectors. Often large companies deploy demo systems to production for legitimate testing purposes, consequentially forgetting about them, leaving the unprotected systems and data externally accessible."

Although its a security issue HSBC would not like to have, organisations that don't report attacks and breaches are fast becoming minorities as hackers are finding more and more clever and innovative ways to exploit vulnerabilities.

In the last year alone there have been data breaches on many airlines such as British Airways, Air Canada and Cathay Pacific. Organisations as big as FIFA have also fallen foul of hacking and even tech companies as big as Facebook have suffered attacks that have accessed personal data.

Bobby Hellard

Bobby Hellard is ITPro's Reviews Editor and has worked on CloudPro and ChannelPro since 2018. In his time at ITPro, Bobby has covered stories for all the major technology companies, such as Apple, Microsoft, Amazon and Facebook, and regularly attends industry-leading events such as AWS Re:Invent and Google Cloud Next.

Bobby mainly covers hardware reviews, but you will also recognize him as the face of many of our video reviews of laptops and smartphones.