If you have a mortgage with HSBC you may want to get in touch with them this morning. The company revealed that they are notifying American customers of its Finance division that their personal information has accidentally been published online since last year.
It is believed that HSBC exposed customer names, account numbers, social security numbers, and telephone numbers. Publishing the data was the result of a corporate error and was not attributed to hackers.
The leaked data was discovered on March 27 and is believed to have begun towards the end of last year. Precisely when the breach occurred has still not been disclosed. In addition to HSBC A number of its subsidiary firms have also been affected and the damage outside of New Hampshire is expected to be substantial.
The company only confirmed the breach through a letter received by the New Hampshire Attorney General’s Office, informing them of the breach. Mandatory disclosure is a legal obligation in the state of New Hampshire, where 685 residents are believed to be compromised by the leak.
“We are conducting a thorough review of the potentially affected records and have implemented additional security measures designed to prevent a recurrence of such an incident,” the bank writes.
Troy Gill, Manager of Security Research at Appriver, stated:
“Since HSBC does not appear to be claiming that it suffered a breach by hackers it seems that it may have inadvertently stored the data in a manner that made it accessible on the internet.”
“In this case it is the data could have potentially been compromised by countless groups/individuals to be used for nefarious purposes. With personal information including social security numbers being involved, this could have a severe impact for their account holders.”
This is an example of breach notification laws in action, both good and bad. While we were able to find out about this breach because HSBC was required to notify residents of New Hampshire the the notification laws vary across states and countries so the full extent and impact is not yet known.
With so many of the bank’s subsidiaries being named the number of those affected will likely be substantially more than the 700 or so we know about presently.