[BreachExchange] HSBC now stands for Hapless Security, Became Compromised: Thousands of customer files snatched by crims

Destry Winant destry at riskbasedsecurity.com
Wed Nov 7 05:11:28 EST 2018


https://www.theregister.co.uk/2018/11/06/hsbc_security_broken/

HSBC has admitted miscreants have probably made off with personal
details of thousands of its online-banking customers.

The bank submitted paperwork [PDF] to the California Attorney
General's office late last week outlining its plan to notify folks of
the significant data theft. California law requires that the AG be
notified whenever a computer security breach affects 500 or more
residents in the US state.

HSBC would not give the exact number of online banking accounts crooks
rummaged through, but it would say the hack affects "less than 1 per
cent" of what reports estimate are 1.2 million US customers, meaning
as many as 12,000 Americans could have had their personal information
and account details fall into the hands of scumbags. Bear in mind, as
we've seen with Equifax, that number may rise considerably.

The accounts were likely ransacked between October 4 and 14, this
year, we're told.

"We are reminding our customers to protect access to their banking
accounts by regularly changing their passwords, and by using unique
passwords they are not using elsewhere, including on any social media
accounts," an HSBC spokesperson told The Register.

That suggests the accounts were accessed using so-called credential
stuffing, in which criminals exploit the fact people reuse the same
usernames and passwords across many sites. The hackers may have
obtained victims' login details from one website, and used them to log
into HSBC online banking accounts that reused the same credentials.

The data likely swiped from the online accounts looks to be highly
sensitive and, if put to use by cybercriminals and identify thieves,
could be extremely harmful to HSBC and its customers.

HSBC says the hackers would have been able to siphon off customers'
full names, mailing addresses, phone numbers, email addresses, dates
of birth, account numbers, account types, account balances,
transaction histories, payee account information, and statement
histories.

Phishing gold in other words; basically, everything needed to hoodwink
marks with carefully crafted emails, and nearly everything (minus the
social security number) to steal someone's identity.

"HSBC became aware of online accounts being accessed by unauthorized
users between October 4, 2018 and October 14, 2018," the bank will
tell those whose details were likely nabbed during the cyber-raid.

"When HSBC discovered your online account was impacted, we suspended
online access to prevent further unauthorized entry of your account."

HSBC says that "out of an abundance of caution" it is going to offer
one year of free credit monitoring and identity protection to those
who were affected. "We have enhanced our authentication process for
HSBC Personal Internet Banking, adding an extra layer of security," it
added.

It doesn't take an abundance of caution to realize that, if you
receive a letter from HSBC, you should take them up on the offer ASAP,
ask for a credit freeze, and keep a very close eye on your bank
statements in the future. ®


More information about the BreachExchange mailing list