HSBC Customers Are Urged to Change Passwords in the Wake of a Security Breach

Last Friday, the American branch of HSBC filed a Notice of Data Breach letter with the Attorney General of the state of California. The multi-national bank apparently learned that between October 4 and October 14, unauthorized parties managed to break into the online banking accounts of some of its US customers. The financial institution's security team immediately disabled access to the affected accounts, notified the owners, and asked them to change their passwords. They later told reporters that they had also fortified the login mechanism and had added another layer of security.

Many questions remain unanswered. For example, we don't know what the new layer of security consists of, and we'd be happy to find out why it wasn't there before the attack. It would also be interesting to learn why HSBC noticed the breach just under a month after the hackers first started breaking into accounts. With no official information on any of those aspects, all we can do is take a look at how bad the whole thing was.

The dark cloud

We're not talking about a bug that let attackers access some information that should have been protected. They broke in using the right credentials meaning that they saw everything an account owner could see. This includes names, mailing addresses, phone numbers, account balances, payment details, lists of transactions, etc. The affected individuals should probably tread carefully now that so much of their personal data has been exposed.

A data breach at a financial institution is never a good thing. When this type of incident turns into something of a recurring theme, however, the problem is serious. Unfortunately, this is not the first time HSBC has lost or exposed its customers' data. In 2007, an insider stole account information of about 15 thousand individuals, and for the next three years, the bank remained completely oblivious to the incident. In late 2014, ten of HSBC Finance's subsidiaries exposed personal information that included names and Social Security numbers of an unknown number of customers. Last year, in yet another security blunder, HSBC's Bermuda branch accidentally emailed personal data of some of its clients to individuals who weren't supposed to see it. Once again, the bank refused to disclose how many people were affected.

HSBC customers have not had it easy over the years, and they probably aren't amused by the latest data breach incident.

The silver lining

With all that being said, we can't put all the blame on HSBC in this particular case. Although the bank itself has yet to come up with an official announcement, evidence suggests that its systems were not compromised. Apparently, the crooks launched a credential stuffing attack.

Credential stuffing, for those of you who don't know, means taking lists of username and password combinations leaked during a data breach of one website and trying them on other online services. Because password reuse is the norm rather than the exception, the success rate of a typical credential stuffing attack is rather high.

Ultimately, users are responsible for the passwords they choose, so in that respect, you could even say that HSBC did nothing to cause this particular data breach. Despite this, the bank promised that affected individuals will be offered a year's worth of credit monitoring and identity theft protection services for free.

Another piece of good news is that the scope of the breach wasn't that huge. About 1% of HSBC US' 1.4 million customers were affected, and so far, the bank hasn't seen any evidence of fraudulent activity related to the breach. In short, it could've been much worse. Even so, the importance of such an incident should not be underestimated, and lessons must be learned.

HSBC is once again making the headlines for all the wrong reasons. After the breach, the management team said that the login system has been strengthened, but the lack of any even vaguely technical details makes the whole thing sound less convincing than it should be.

The users are the ones who should be paying attention the most, though. While certain precautions can be taken, there's not much vendors can do to fend off a credential stuffing attack without adding friction to the user experience. Users, on the other hand, are in a different position. If they stop reusing passwords, credential stuffing attacks will become inefficient, and the crooks will drop them.

Having unique passwords for all your accounts also presents a challenge, but with tools like our own Cyclonis Password Manager, you can overcome it easily. To learn more about it, click here.