HSBC has reported attackers managed to access personal information of a limited number of their customers from 4 October to 14 October this year. Accounts numbers, balances, addresses, transaction history and more was breached by attackers. It’s thought that the breach affected approximately 1% of US HSBC accounts.
This information came to light because, under California law, any company who conducts business in California must agree to file security notices with the Attorney General’s office in the event of a data breach. The notice is sent to residents, and if the number of residents receiving a notice exceeds 500, then the business must also make available the notice so it can be shared publicly.
It’s thought that the login credential may have been stolen from previous data breaches, attackers then using them to conduct a credential stuffing attack on HSBC. A credential stuffing attack is a form of cyber attack where attackers use stolen credentials to gain unauthorized access to large-scale automated login requests on a web application.
In response to this attack, HSBC has said they have hardened their security for the sign-in and authentication process. This should make this type of attack less viable in the future.
We recommend that our readers practice good “security hygiene”, therefore making this kind of attack impossible. By good “security hygiene,” we mean updating your passwords regularly, having complex passwords containing a variety of characters and steering away from using your mother’s name, for example, something obvious. It’s also important to vary your passwords between sites, using a unique password for every site you sign up to. You can use a password manager to help you keep track of your passwords.
Those stung by the HSBC data breach are being offered a free year of the Identity Guard credit monitoring service. If you have been affected you should have received a notice; information on how to claim your Identity Guard compensation will be included in the notice.