Global banking giant HSBC has admitted that it suffered a cyber security breach that has affected customer accounts. It is not disclosing how many accounts are affected. The breach occurred in a 10-day window between October 4th and 14th.
Hackers are believed to have gained access via the HSBC online app. HSBC responded by locking some customers out of the app until passwords were changed.
An unnamed spokesperson for the bank has said: “HSBC regrets this incident, and we take our responsibility for protecting our customers very seriously.” The spokesperson also said that the bank had upgraded its security as a response to the attack.
What data has been stolen from HSBC?
There is no details on the stolen data on the HSBC website. However, The California Attorney General’s Office has published a copy of the letter sent to customers. It gives a lot more detail on the data that was stolen. It includes:
- Full name
- Account Number, type and balances
- Mailing address and phone numbers
- Date of birth
- Transaction history, statements and payee account information
The letter goes on to provide customers with more detail about the new security that HSBC is adding to its accounts. It also gives customers enrolment details for the Identity Guard solution it is paying for.
The bank has also provided customers with advice on what to do to keep their accounts safe. That includes:
- Change passwords
- Monitor transactions
- Place a fraud alert on their credit file
- Obtain and monitor credit reports
- File reports with the police and bank should suspicious activity take place
How quickly customers respond will be interesting to see. What is not known is how many of these are active accounts and how often customers use them. That means that the bank will have to monitor the accounts itself and take corrective action on behalf of dormant customers or those who don’t use online services.
How did this happen?
HSBC says that the breach was caused by hackers using credential stuffing to gain access to accounts. This is where usernames and passwords from previous breaches are used against other services. It exposes users that reuse their credentials across multiple services and don’t change their passwords whenever a breach occurs.
It is not known where the data used in this attack came from but with billions of user credentials stolen every year and traded on the dark web it could be anywhere. The most likely candidates will be online shopping sites and services where customers are trying to reduce the number of passwords required to do their shopping.
What is the industry reaction?
Reaction from the cyber security industry is pretty much as expected. They have repeated the advice the bank has issued. In addition, many have commented on the problems this may cause.
Rusty Carter, Vice President of Product Management at Arxan Technologies: “Companies need to treat the web and the browser application itself as a critical access point for enterprise security. Many companies stop at the network perimeter and are subsequently breached by their own APIs browser/web apps and mobile applications that have been compromised.
“Consumers need to increase their vigilance as well. Reused passwords lost in one breach then become a free ticket to your other accounts. Consumers should employ unique passwords for every site and service they use and change them at least once a year (unless there’s a breach then of course sooner). Secure, paid service or locally run password managers make this easier in many cases than using a password you’ll remember. Consumers can create a long and complex passphrase to access their devices or password manager to keep their passwords secure and use complex password generators to create unique passwords per site.”
Meanwhile, Ilia Kolochenko, CEO and founder of web security company High-Tech Bridge said: “Unless the scope, circumstances and total number of affected customers become known, it would be premature to make any categorical conclusions. Allegedly, only US customers are affected, thus it may indicate that the breach occurred via an authorized third-party or careless employee.
“The bank’s reaction is relatively prompt, proposed remediation seems to be technically adequate for the incident. This will, however, unlikely exonerate them from private lawsuits and, perhaps, even a class action by disgruntled customers and privacy watchdogs.”
What does this mean?
Another day, another breach and yet again we are seeing credential stuffing giving hackers access to user accounts. One question that HSBC will need to answer is why this was not spotted earlier. It is unlikely the hackers got lucky on the first try every time. There will have been repeated login failures which should have tripped the banks internal systems. Regulators and customers will be asking why this didn’t happen or, if it did, why nobody acted.
Another question will be why these bank accounts were accessed so simply. There appears to have been no multi-factor authentication to make it harder for the hackers. Given the number of times credential stuffing has been used in attacks, all financial institutions should have implemented this.
The bank will also have to disclose at some point how many accounts were affected. Previous attacks on US companies have exposed European customers. This is something that the bank will need to address quickly and prove that the only customers affected are in the US.
At the same time, users need to take responsibility for their own actions. The failure to change passwords regularly and the reuse of passwords is their fault. It is not sufficient to blame the bank here. There is fault on both sides although the bank must bear the brunt of this.
Unless we move away from simple password based systems this is going to happen again and again.