HSBC discloses breach of U.S. bank accounts

The company didn't reveal exactly how the breaches occurred, but the information released by the bank points to credential stuffing.
HSBC Data Breach
The bank says only one percent of accounts were impacted. ( Flickr / <a href="">Kwok Ho Eddie Wong</a>)

HSBC disclosed a security incident earlier this week, saying that a small number of U.S.-based bank accounts were breached.

In a letter template sent to the California Attorney General’s office, the bank said it became aware of online accounts being accessed by unauthorized users between Oct. 4 and Oct. 14. The bank started notifying affected customers on Tuesday.

Once the company was made aware of the unauthorized activity, it suspended online account access.

“HSBC regrets this incident, and we take our responsibility for protecting our customers very seriously,” a spokesperson for the bank said. “We responded to this incident by fortifying our log-on and authentication processes, and implemented additional layers of security for digital and mobile access to all personal and business banking accounts. We have notified those customers whose accounts may have experienced unauthorized access, and are offering them one year of credit monitoring and identity theft protection service.”


The company says the attackers accessed less than 1 percent of the bank’s U.S. customer base.

The company didn’t reveal exactly how the breaches occurred, but the information released by the bank points to credential stuffing, that is, taking passwords discovered in other breaches and brute-forcing them against HSBC online accounts.

Attackers that breached accounts were able to access name, mailing address, phone number, email address, date of birth, account numbers, account types, account balances, transaction history, payee account information, and statement history.

The London-headquartered bank is the 15th largest bank in the U.S., with $201.3 billion in assets according to S&P Global Market Intelligence.

Greg Otto

Written by Greg Otto

Greg Otto is Editor-in-Chief of CyberScoop, overseeing all editorial content for the website. Greg has led cybersecurity coverage that has won various awards, including accolades from the Society of Professional Journalists and the American Society of Business Publication Editors. Prior to joining Scoop News Group, Greg worked for the Washington Business Journal, U.S. News & World Report and WTOP Radio. He has a degree in broadcast journalism from Temple University.

Latest Podcasts