The HSBC Breach: Laughing All the Way to the Bank? More Like Crying…


Ted McKendall

This week, HSBC announced that a number of it’s US customers were hacked in October.


In its statement on the breach, HSBC said that online accounts were compromised between October the 4th and the 14th – with stolen details including account numbers and balances, statement and transaction histories, and customers’ names, addresses, email addresses, and dates of birth. Quite the list!


It’s been reported that 1% of HSBC US customers were affected – which may not sound all that much – but when you consider that the bank has 38 million customers worldwide, it’s likely that the number of those affected is actually in the several thousands.


HSBC said that it had suspended online access for the affected customers to prevent any further unauthorized account entry – as well as offering a year of complimentary credit monitoring and identity theft protection service. This is a quick and efficient response, especially compared to some organizations, that are still taking several months to reveal that they were hacked (see the Cathay Pacific  breach, for example). However, quick notification shouldn’t be the judging criteria for good practice – breaches such as this shouldn’t be happening in the first place.


How Did the Breach Happen?


While the full details have not yet been officially released, this attack is thought to be the result of credential stuffing. This is an easy and relatively cheap way for hackers to get access to all sorts of accounts, and is made possible by people’s continued habit of using the same passwords and credentials across multiple online services. When one service is breached and passwords and usernames stolen, those details frequently end up for sale on the Darkweb and cost very little for criminal organizations to get their hands on. Criminals then use them to get into other accounts. Crucially, they don’t even have to do this manually but use software that can try millions of accounts across different sites in minutes.


What Can Consumers Do to Protect Themselves?


The obvious way for consumers to avoid being targeted in these kinds of attacks is to use different log-in details across accounts. For example, you should use password managers, don’t use dictionary words as passwords – and make sure they are long and complicated. This advice has been touted for years, but it still isn’t being listened too enough, as evidenced by the fact that this HSBC hack has impacted as many people as it has.


How Should Organizations Protect their Customers?


Website owners themselves also have a huge responsibility to keep their customers’ details protected. While companies can monitor for this kind of credential stuffing activity, the criminals have made it harder to recognize by using bots for the attack. Techniques include making login attempts come from numerous sources and by spacing the login attempts out over time to avoid timeouts, to bypass organization’s red flags. It therefore requires close attention to monitor the frequency and sources to correlate suspicious login attempts and stop them before criminals gain access to customer accounts.


Trusted Knight develops solutions that helps banks, financial services, and all organizations who process sensitive credentials over their websites so protect their customers information. For more information on how to protect your business with Trusted Knight, click here.


Request a Free Trial Download Whitepaper Now