HSBC Mexico customers report unauthorized transactions. Data breach at HSBC Latin America?

Thousands of HSBC bank users in Mexico and Latin America report receiving charges of between $2 and $10 on their accounts, a situation that has been repeated on some recently activated credit cards. Through Twitter, users externalized their concern about these charges, as it was unclear whether this incident is a bank mistake or is related to any data protection issues.

Cybersecurity specialists also expressed concern about how banks allow company transactions in Europe or the United States when an account is located in Mexico. After a call to HSBC Mexico, it was revealed that the bank is asking about $20 USD to investigate these unauthorized charges, in addition to asking users to block their cards, besides an additional $7 USD fee to issue a new card. 

While this seems to be a rather confusing situation for HSBC customers, data protection experts claim to have found the answer. A data breach incident appears to have affected the bank, so it is necessary to contract protection services against identity theft and other frauds.

However, in situations like this, banks are responsible for offering their customers these protection services for free, usually for one-year periods. In this case, everything indicates that HSBC has refused to acknowledge the data breach, pretending that users take charge of paying for their own data protection service. As if that wasn’t enough, the bank could have been the victim of a new security incident like the one in Mexico and other Latin American countries in 2018, although HSBC has not commented on it.

In 2018, HSBC released a statement stating that the bank accounts of some customers in the U.S. had been hacked and that hackers could have accessed information on statements, transactions, balance, among other financial details, in addition to personally identifiable details (names, addresses, dates of birth, etc.).

The bank allegedly directly notified all users potentially affected by this incident: “The safety of our customers is a fundamental issue, for us. HSBC regrets the incident and assumes responsibility for protecting the information of affected users, notifying them of unauthorized access and offering a year of credit monitoring and identity theft protection services.”

For now the bank is unclear about the motivations of the attackers, as they could sell this information or even try to steal money from the accounts themselves. According to an expert related to the topic, during this incident hackers used a technique known as credential stuff, in which they collect login data exposed in other incidents to try to gain access to online banking accounts, social media profiles or emails.

“So far HSBC has revealed very few details about the incident,” says Alan Woodward, a data protection expert at the International Cyber Security Institute (IICS). “The investigation is still ongoing, so the bank is implementing the necessary measures to protect the information of its customers and keep the authorities on track; soon, many details will need to be revealed by the bank.”

While the investigation is complete, users are advised to reset their mobile banking access passwords, in addition to notifying the bank of any unauthorized transactions. If the bank continues to refuse to pay for the protection of affected users, it is recommended to record the call and send it to the agencies responsible for consumer protection, in addition to posting it on social networks.