HSBC confirms US data breach, comes clean to customers

HSBC Financial Corp. has started notifying US mortgage customers regarding an online data breach which left personal account information exposed to the internet.

The firm believes the breach, which included names, account numbers and Social Security numbers, began sometime towards the end of 2014 and continued until 27 March 2015 when the leak was discovered.

HSBC has so far left several details unconfirmed, including how the breach was discovered, how many times the data may have been access and if there's an indication that the data has been misused.

Several industry experts have offered their analysis of the most recent in a conveyor belt of high profile security breaches:

Troy Gill, manager security research, Appriver:

"With so many of the banks subsidiaries being named, the number of those affected will likely be quite substantial.

Since HSBC does not appear to be claiming that they suffered a breach by hackers it seems that they may have inadvertently stored the data in a manner that made it accessible on the internet.

"In this case it is the data could have potentially been compromised by countless groups/individuals to be used for nefarious purposes. With personal information including social security numbers being involved, this could have a severe impact for their account holders."

Tim Erlin, director security and risk, Tripwire:

"This is an example of breach notification laws in action, for both good and bad. We’re finding out about this breach because HSBC has been required to notify residents of New Hampshire who were affected, but the notification laws vary across states and countries so that the extent and impact is obscured.

"The notification describes data ‘inadvertently made accessible via the Internet,’ which might simply mean a spreadsheet shared where it shouldn’t have been. It could be that this incident really is contained to 685 residents of New Hampshire, and was the result of simple human error.

Amichai Shulman, CTO Imperva:

"The issue at hand is that customer files (or a single file containing data for multiple customers) was mistakenly transferred to a web server available on the WWW.

"That file (or those files) where indexed by Google (or some other search engine) and thus became available to everyone. My guess is that they became aware of it through someone who did some Google snooping and incidentally bumped into this file."