Content, Americas, Breach

HSBC Data Breach: How Hackers Hit U.S. Bank Accounts

Hackers last month reportedly broke into the HSBC bank accounts of some of the lender’s U.S. customers.

The cyber crooks, which hit the bank on October 4 - 14, may have been able to steal account numbers, balances, statements, transaction details along with personally identifiable information such as names, addresses and birthdates, the bank said. At this point, HSBC believes that fewer than one percent of its U.S. customers have been affected. On November 4, the multinational bank sent letters to its California-based customers to inform them of the breach, The Hill said. A template of the alert sent to customers has been posted online by the California Attorney General's Office, although the hack was not limited to that state.

Robert Sherman, head of HSBC's media relations in the U.S., told The Hill on Wednesday that “HSBC regrets this incident, and we take our responsibility for protecting our customers very seriously." He said the bank is reinforcing its log-on and authentication processes, and putting in additional “layers of security for digital and mobile access to all personal and business banking accounts.”

An HSBC spokesperson told that last month, the bank’s “fraud monitoring team detected evidence that a relatively small percentage of online accounts (fewer than 1% of U.S. accounts) were being accessed by unauthorized users. In response, the bank immediately suspended online access and required affected users to contact the bank.” HSBC hasn’t provided any additional details on the break in, The Hill reported. The bank has notified hacked customers and is offering a year of credit monitoring and identity theft protection, Sherman said.

The cyber crooks apparently took advantage of poor password practices by some of the bank’s customers. Cybersecurity pros repeatedly warn users not to use the same password for multiple accounts. In the HSBC attack, the robbers employed a technique called “credential stuffing,” in which information harvested from other sources was used for unauthorized access to customer accounts. In this case, passwords used over and over again at multiple sites, including online banking, were vulnerable to that type of attack.

“We are advising our consumers to protect access to their banking accounts by regularly changing their passwords, and by using unique passwords they are not using elsewhere, including on any social media accounts,” Sherman said.

A recent study by security provider Kaspersky found that 93 percent of malware attacks it counted in its labs came from brute force password assaults. While this is not that, the point still remains -- be judicious about password hygiene.

D. Howard Kass

D. Howard Kass is a contributing editor to MSSP Alert. He brings a career in journalism and market research to the role. He has served as CRN News Editor, Dataquest Channel Analyst, and West Coast Senior Contributing Editor at Channelnomics. As the CEO of The Viewpoint Group, he led groundbreaking market research.