The Los Angeles Post

US customers affected by HSBC bank breach

by ·

Multinational bank HSBC this week said hackers gained unauthorized access to the accounts of some of its U.S. customers in October.

The lender sent a letter to California-based customers on Nov. 4 notifying them that hackers may have accessed sensitive information like their “full name, mailing address, phone number, email address, date of birth, account numbers, account types, account balances, transaction history, payee account information, and statement history where available.”

The cyberattack took place Oct. 4-14 and less than 1 percent of U.S.-based clients were affected, HSBC said.

Public details about the breach are limited, and it is unclear whether the hackers sought to use such data to pilfer savings at the bank.

“HSBC regrets this incident, and we take our responsibility for protecting our customers very seriously,” Robert Sherman, head of HSBC’s media relations in the U.S., said in a statement to The Hill on Wednesday.

He added that the bank is looking to boost its cybersecurity.

“We responded to this incident by fortifying our log-on and authentication processes, and implemented additional layers of security for digital and mobile access to all personal and business banking accounts,” Sherman said. “We have notified those customers whose accounts may have experienced unauthorized access, and are offering them one year of credit monitoring and identify theft protection service.”

The lender said the breach was the result of a “credential stuffing” attack, in which the cyber criminals gained access to personal information from others sources that ultimately allowed them to gain unauthorized access to HSBC accounts.

Credential stuffing can stem from cases where a customer uses the same password on multiple sites, including the same password for online banking.

“We are advising our consumers to protect access to their banking accounts by regularly changing their passwords, and by using unique passwords they are not using elsewhere, including on any social media accounts,” Sherman said.