Cybersecurity experts have reacted to the recent HSBC data breach, warning that consumer trust is “becoming more fragile”.
The breach was reported to California’s Attorney General Office on 2 November, but media outlets first reported the breach two days ago.
The bank became aware of the unauthorised access between 4 October and 14 October.
According to the HSBC report, compromised personal details include “full name, mailing address, phone number, email address, date of birth, account numbers, account types, account balances, transaction history, payee account information, and statement history”.
Ian Woolley, chief revenue officer at data tracking platform Ensighten’s, criticised the extent of information accessed by hackers and warned that it is having a negative impact on consumer trust.
“Look at everything that was compromised with the HSBC breach: both PII and financial history,” he said.
“It’s no wonder that consumers are growing frustrated with the steady stream of data breach news these days, and their trust is becoming more fragile.”
Fewer than 1% of the firm’s US clients were reportedly affected. In a statement, HSBC said:
“HSBC regrets this incident, and we take our responsibility for protecting our customers very seriously.
“We have notified those customers whose accounts may have experienced unauthorised access, and are offering them one year of credit monitoring and identity theft protection service.”
How did hackers get in?
While the means of entry are yet to be verified, cybersecurity experts believe that a technique known as ‘credential stuffing’ was used during the HSBC data breach.
Tim Callan, senior fellow at online security certificate authority Sectigo, explains:
“Credential stuffing attacks are an example of how broadly information theft can be exploited by sophisticated criminals. Even seemingly innocuous personal details, stolen in a context that appears to be completely devoid of risk for critical information theft, can then be repurposed to gain inappropriate login access somewhere else.
“Consumers should only share information with online parties they know and trust. One of the ways they can be sure of the identity of a website operator is to look for the company’s name in the browser’s address bar adjacent to the URL.
“When it appears in the browser this way, you can trust that this information has been authenticated and you’re seeing the actual name of the company that operates this site.”
HSBC data breach is latest in spate of cross-industry hacks
While there have been numerous data breaches in recent months – from the high profile Facebook breach to the Radisson Hotel’s reward scheme compromise – the banking sector has traditionally had more robust cybersecurity defences.
Commenting on this, Corin Imai, senior security adviser at threat intelligence provider DomainTools, said:
“This is simply the latest in a long line of breaches indicating that we as an industry have room for improvement in how we handle and protect sensitive data.
“Financial institutions have been making large strides in protecting customer data since it is among the most valuable data to steal, and potentially the most damaging type of PII to be exposed.”
She added that HSBC appears to be taking the “proper steps in notification and handling of impacted customers”.
Echoing this, Rusty Carter, vice president of product management at cybersecurity firm Arxan Technologies said that the HSBC data breach shows that “every company is vulnerable to a breach”.
He added that companies need to take greater care with the security around their own applications and advised consumers to use unique passwords for each site to prevent a compromised one being used elsewhere.