Add HSBC to the long list of financial institutions whose customer data has have been compromised.
Some U.S. customers of HBSC HSBC, +0.22% were alerted their accounts had been compromised in a letter dated Nov. 2. Less than 1% of the bank’s U.S. customers were affected by the breach, the company confirmed to BBC on Tuesday.
“HSBC regrets this incident, and we take our responsibility for protecting our customers very seriously,” the bank said, according to BBC. “We have notified those customers whose accounts may have experienced unauthorized access, and are offering them one year of credit monitoring and identify theft protection service.”
According to the letter, customer accounts were accessed during the first half of October. This breach included customers’ full names, mailing addresses, phone numbers, email addresses, dates of birth, account numbers, account types, account balances, transaction histories, and statement histories. Even more data could have been compromised, Jarrod Overson, director of engineering at Mountain View, Calif.-based security firm Shape Security, said. The circumstances of the breach suggest the attackers already had user passwords, he said.
Often hackers will make use of user names and passwords compromised in prior breaches, and plug them into other institutions – a tactic known as an account takeover or “credential stuffing.” Major breaches such as those at Equifax and Yahoo have given hackers plenty of such user credentials to work with, experts say.
“This is typical for account takeovers due to credential stuffing and, with over 7 billion credential records spilled since 2015, it’s reasonable to assume this could happen to just about anybody,” Overson said.
Since HSBC is based in the U.K., it is subject to the General Data Protection Regulation (GDPR) — a set of data-handling rules put forth by European Union regulators that went into effect in May. Companies must disclose breaches within 72 hours or they will be fined €20 million ($24.5 million) or 4% of their global annual revenue.
Customers of HSBC should change their passwords and consider adding additional security measures, Jacob Serpa, product marketing manager, at Campbell, Calif.-based cloud security firm Bitglass said.
HSBC suggested affected customers monitor account transactions and place fraud alerts on their accounts. It is providing customers a one-year subscription to Identity Guard credit monitoring service.
Get a daily roundup of the top reads in personal finance delivered to your inbox. Subscribe to MarketWatch’s free Personal Finance Daily newsletter. Sign up here.