HSBC moves to clean up data breach

By Rebekah Tunstead | 6 November 2018

Today HSBC customers in the US were notified of a breach of data that occurred last month. The cyber attack is supposed to have affected less than 1% of their US accounts, with evidence of an unauthorised log-on leaving some personal information accessible.

According to an Accenture report published in 2016, 59% of banks admit it takes “months” to detect successful breaches, while another 14% identify them “within a year” or longer.

“HSBC regrets this incident, and we take our responsibility for protecting our customers very seriously,” says Rob Sherman, US head of media relations for HSBC.

“We responded to this incident by fortifying our log-on and authentication processes and implemented additional layers of security for digital and mobile access to all personal and business banking accounts.

It is believed that extra security has been put in place in the form of customers being asked for additional personal information before they can log into their accounts, and a CAPTCHA process has been added.

“We have notified those customers whose accounts may have experienced unauthorized access, and are offering them one year of credit monitoring and identity theft protection service,” says Sherman.

Ilia Kolochenko, CEO and founder of web security company High-Tech Bridge says that as only US customers were affected, it may indicate that the breach occurred via an authorized third-party or a careless employee.

“Data leaks caused by negligent third-party providers become more and more frequent these days. An abandoned US based web system with a limited set of customers' data can also be among the possible attack vectors. Often large companies deploy demo systems to production for legitimate testing purposes, consequently forgetting about them, leaving the unprotected systems and data externally accessible.

“The bank's reaction is relatively prompt, proposed remediation seems to be technically adequate for the incident. This will, however, unlikely exonerate them from private lawsuits and, perhaps, even a class action by disgruntled customers and privacy watchdogs.”

However, bitcoin and cryptocurrencies are providing a wealth of opportunities for cybercriminals to make easy money without much risk says Kolochenko.

“Compared to well-protected financial institutions, which have solid capacities to investigate and prosecute the attackers, the crypto world is quite ‘toothless’. Even the largest stock exchanges systematically under-invest in their cybersecurity, let alone ordinary users of crypto gold. Worse, the stolen amounts are frequently untraceable from a technical standpoint.

“At the same time, European law enforcement agencies are already overloaded with incoming complaints, and simply have not any spare resources to investigate petty digital theft (compared to other incidents they handle). All this opens a wide new horizon for cyber gangs who can now commit crime in impunity and without much risk."

Common sense and holistic risk assessment are the only ways to implement a consistent security policy that can reasonably prevent intruders says Ilia.

“What we frequently see is that financial institutions, I’m not talking only about banks but in a different organisation including banks, they tend to try one solution shifting to another saying ok blockchain will save us, well no, let’s try artificial intelligence…”

“Today pretty often we have data that companies think, ‘our strategy is blockchain and we will try to blockchainize everything and we will be safe.’ You have first of all to establish which digital assets you have, how risky and how attractive are they, and only afterwards can you implement different technologies to secure them.”

Become a bobsguide member to access the following

1. Unrestricted access to bobsguide
2. Send a proposal request
3. Insights delivered daily to your inbox
4. Career development