HSBC confirms data theft in the United States

The HSBC headquarters in Istanbul are pictured on June 9, 2015. Scandal-hit bank HSBC said on June 9 it would cut its global headcount by up to 50,000 as part of a restructuring that entails its withdrawal from Brazil and Turkey, while it also mulls abandoning London as its HQ. AFP PHOTO/ OZAN KOSE (Photo credit should read OZAN KOSE/AFP/Getty Images)

According to the bank, some of the accounts of its customers in the United States were hacked in October

HSBC systems in the United States were hacked last October, as reported by specialists in digital forensics from the International Institute of Cyber Security. The banking institution reported that hackers could have accessed information that includes account numbers and balances, account statements and transactions and account holder details, as well as names, addresses and users’ dates of birth.

According to the first reports, it is estimated that an amount equivalent to less than 1% of the bank’s American customers were affected. The bank has already established direct contact with those users who might have been affected by this security incident.

“HSBC regrets this incident and assumes responsibility for protecting affected customers very seriously”, the bank said in a statement. “We have notified those customers, whose accounts might have been compromised, and we offer a year of credit monitoring and identity theft protection services, and we also inform that our digital forensics teams are thoroughly analyzing the incident”.

The bank said the security breach occurred between October 4 and 14. It is still unclear whether attackers have tried to use this information to perform fraudulent transactions.

A security alert sent to affected customers has been posted online by the California attorney General’s office, although the hack is not confined to Californian territory. An expert in cybersecurity and digital forensics mentioned that the technique implemented in the attack is apparently a “credential filling” in which personal data collected through other websites were used to gain unauthorized access to the bank’s accounts.

“So far, the information provided by HSBC is quite limited, it does not include technical details of the hacking techniques used and the actual scope of the attack is unknown”, said Professor Alan Woodward of the University of Surrey.

“It is clear that the research is still ongoing, but it is necessary to know what happened to take the necessary measures to protect customers and advise regulatory authorities. There is much more information that we still do not know, that I hope HSBC will make public when the panorama becomes clearer”.