HSBC has confirmed that a recent data breach only relates to mortgage customers HSBC Finance Corp in the USA.
In a notification, HSBC said that the notice was sent by HSBC Finance Corporation on behalf of its subsidiaries regarding a breach that it learned about on March 27th.
“At that time, we became aware of an incident where certain personal information about customer mortgage accounts was inadvertently made accessible via the internet which we believe was towards the end of last year,” the notification said. “This information included the name, social security number, account number and some old account information, and may have included phone numbers.”
HSBC said that it takes the issue seriously, and deeply regrets it happening. “We are conducting a thorough review of the potentially affected records and have implemented additional security measures designed to prevent a recurrence of such an incident,” it said. “We have ensured that the information is no longer accessible publicly. The company has notified law enforcement and the credit reporting agencies of the incident, and no delay in advising you has been caused by law enforcement notification.”
The breach affected customers of the firm’s subsidiaries, including Beneficial Financial I, Inc., Beneficial Homeowner Service Corporation, Beneficial Maine, Inc., Beneficial Massachusetts, Inc., Beneficial New Hampshire, Inc., Household Finance Corporation II, Household Finance Corporation of Alabama, Household Financial Center, Inc., and Household Realty Corporation.
HSBC did not disclose how many were affected, telling IT Security Guru that “this matter only affects some mortgage customers”, although databreaches.net said that among those affected were 685 residents of New Hampshire.
Amichai Shulman, CTO of Imperva, said that he believed that the issue was due to customer files (or a single file containing data for multiple customers) being mistakenly transferred to a web server available on the wider web.
He said: “That file (or those files) where indexed by Google (or some other search engine) and thus became available to everyone. My guess is that they became aware of it through someone who did some Google snooping and incidentally bumped into this file.”
Commenting, TK Keanini, CTO of Lancope, said that as HSBC is a connected business and like any other business today, is highly connected and digital dependent. “Let us just hope that the right level of telemetry is on the network itself so that the right level of forensics can ensure that everything known about the breach is known for remediation,” he said.
Keanini also praised the local security of HSBC, as the attacker had to go to the third party to find an access vector.
Tim Erlin, director of security and risk at Tripwire, said: “This is an example of breach notification laws in action, for both good and bad. We’re finding out about this breach because HSBC has been required to notify residents of New Hampshire who were affected, but the notification laws vary across states and countries so that the extent and impact is obscured.
“The notification describes data ‘inadvertently made accessible via the Internet,’ which might simply mean a spreadsheet shared where it shouldn’t have been. It could be that this incident really is contained to 685 residents of New Hampshire, and was the result of simple human error.”