
The lender
said that the perpetrators may have accessed information including account
numbers and balances, statement and transaction histories and payee details, as
well as users' names, addresses and dates of birth.
Owojela’s
Blog understands the firm believes that fewer than 1% of its American clients
were affected.
It said it
had already contacted those thought to have been exposed.
"HSBC
regrets this incident, and we take our responsibility for protecting our
customers very seriously," the bank said in a statement.
"We
have notified those customers whose accounts may have experienced unauthorised
access, and are offering them one year of credit monitoring and identify theft
protection service."
The bank
said the online accounts were breached between 4 and 14 October.
It is not
clear whether the attackers have tried to make use of the data to steal
savings.
A template
of the alert sent to customers has been posted online by the California
Attorney General's Office, although the hack was not limited to that state.
One expert
said it appeared that the technique involved was a "credential
stuffing" in which personal details harvested from elsewhere had been used
to gain unauthorised access to the accounts.
"The
information made public so far by HSBC is quite limited," said Prof Alan
Woodward from the University of Surrey.
"It is
clearly still investigating what happened whilst taking the actions necessary
to protect customers and advise regulators.
"There's
a lot more information we've yet to see, which I hope HSBC makes public when it
has it."
Comments