HSBC has locked some customers out their online accounts in response to a data breach that saw unauthorised users gain access to a host of financial and personal information.
In a notice to customers, which has been filed with California's Attorney General's office, the bank says: "HSBC became aware of online accounts being accessed by unauthorized users between October 4, 2018 and October 14, 2018.
"When HSBC discovered your online account was impacted, we suspended online access to prevent further unauthorized entry of your account."
Among the information which may have been accessed is full names, mailing addresses, phone numbers, email addresses, dates of birth, account numbers, account types, account balances, transaction history, payee account information, and statement history.
HSBC has not provided exact details on how many customers are affected but Finextra understands that it is less than one per cent of US online accounts. The bank also believes that personal information obtained from sources other than HSBC was used. This may have included passwords from other non-HSBC accounts, aka, “credential stuffing.”
The bank says customers may have received a call or email from it to assist with resetting login details and that, "out of an abundance of caution", it is offering those affected a free year-long subscription to the Identity Guard credit monitoring and ID theft protection service.
In a statement, Rob Sherman, US head, media relations, HSBC, says: "HSBC regrets this incident, and we take our responsibility for protecting our customers very seriously. We responded to this incident by fortifying our log-on and authentication processes, and implemented additional layers of security for digital and mobile access to all personal and business banking accounts.
"We have notified those customers whose accounts may have experienced unauthorized access, and are offering them one year of credit monitoring and identify theft protection service."
Commenting on the news, Ilia Kolochenko, CEO of web security company High-Tech Bridge, says: "The bank's reaction is relatively prompt, proposed remediation seems to be technically adequate for the incident.
"This will, however, unlikely exonerate them from private lawsuits and, perhaps, even a class action by disgruntled customers and privacy watchdogs."