HSBC has admitted that it has suffered an attack that compromised customer card data, but is only limited to Turkey.
In a statement, HSBC said that it identified the attack in the past week through its internal controls, and compromised information consisted of card and linked account numbers, card expiry dates and card holder names of our customers.
While HSBC said that there is no evidence that any of our customers’ financial information or personal information was compromised, it denied that the information can be used to print cards and withdraw money from ATMs or use internet or telephone banking with the compromised information.
“Only the linked account number was compromised,” it said. “The content of the account was not compromised. It is not possible to commit fraud with the linked account number. This information is regularly shared by our customers with the 3rd parties when they make money transfers and EFT transactions. No other information was compromised, including account numbers of term deposit accounts or other deposit accounts.”
Trey Ford, global security strategist at Rapid7, said: “HSBC Turkey has experienced a compromise where 2.7 million credit card numbers, expiration dates, names, and the associated HSBC account number were compromised. A couple of things stand out – the attack happened last week, and they’ve caught it already and they caught it themselves. This is impressive given that the vast majority of breaches are detected by third parties, and often not for months.
“HSBC is underscoring that cards will not be re-issued at this time and that the compromised data will not impact banking services. This is because ‘card present’ transactions require additional information that would be encoded on the magnetic strip, and for ‘card not present’ transactions, the card security code (CVC or CVV2) would be required to transact business.”