A data breach at HSBC Bank has allowed attackers to gain access to a limited amount of customer's information such as account numbers, balances, addresses, transaction history, and much more.
California law requires business who conduct business with California residents to file security notices with the Attorney General's office in the event of a data breach or other cyber security incident. If a notice is sent to more than 500 California residents, then the business must also submit a sample of the notice so it can be made available online.
According to a new data breach notice filed on November 2nd, 2018 with the California Attorney General's office, HSBC Bank detected online accounts being accessed by unauthorized users between October 4th, 2018 and October 14th, 2018.
"HSBC became aware of online accounts being accessed by unauthorized users between October 4, 2018 and October 14, 2018," stated HSBC's data breach notice. "When HSBC discovered your online account was impacted, we suspended online access to prevent further unauthorized entry of your account. You may have received a call or email from us so we could help you change your online banking credentials and access your account. If you need help accessing your account, please call >. We apologize for this inconvenience. HSBC takes this very seriously and the security of your information is very important to us."
Sources familiar with the matter state that this breach affected about 1% of U.S. accounts and that login credentials were most likely obtained from other data breaches. This information was then used as a credential stuffing attack on HSBC.
In order to prevent credential stuffing attacks, users should regularly change their passwords and use unique passwords at each site they visit.
As the attackers were logging into a user's online banking account, they had access to all information that can normally be found on personal banking sites. This includes addresses, phone numbers, balances, transactions, and account numbers.
"The information that may have been accessed includes your full name, mailing address, phone number, email address, date of birth, account numbers, account types, account balances, transaction history, payee account information, and statement history where available," continued the data breach notice.
HSBC told BleepingComputer in a statement that they have increased the security in their sign-on and authentication processes in order to make it harder to perform similar attacks in the future.
"HSBC regrets this incident, and we take our responsibility for protecting our customers very seriously. We responded to this incident by fortifying our log-on and authentication processes, and implemented additional layers of security for "digital and mobile access to all personal and business banking accounts. We have notified those customers whose accounts may have experienced unauthorized access, and are offering them one year of credit monitoring and identify theft protection service."
Victims who have been affected by this breach are being offered a free year of the Identity Guard credit monitoring service. Information on how to access this free service will enclosed in the notice.