HSBC Acknowledges Massive Payment Card Breach
2.7 million Turkish cardholders' names, HSBC account numbers, card numbers and expiration dates were exposed.
"On identifying the incident, we took immediate action to safeguard our customers," the company said in a statement. "We launched an investigation that is ongoing in cooperation with the Banking Regulation and Supervision Agency of Turkey (BRSA) and other relevant authorities. All card operations of HSBC Turkey are functioning normally."
The compromised data included 2.7 million cardholders' names, HSBC account numbers, card numbers and expiration dates.
"There is no evidence that any of our customers’ other financial information or personal information was compromised," HSBC said. "There is no financial risk to our customers and there has been no evidence of any fraud or other suspicious activity arising from this incident."
According to a FAQ [PDF] on HSBC's website, the attack was discovered "through our own internal controls."
The company says it wouldn't be possible to use the stolen data to make transactions through Internet banking or telephone banking, or to print fraudulent cards and withdraw money from ATMs.
"Only the linked account number was compromised," the FAQ states. "The content of the account was not compromised. It is not possible to commit fraud with the linked account number."
Trey Ford, global security strategist at Rapid7, told eSecurity Planet by email that it's notable both that HSBC caught the breach soon after it took place, and that it discovered the breach itself. "This is impressive given that the vast majority of breaches are detected by third parties, and often not for months," he said.
"HSBC is underscoring that cards will not be re-issued at this time, and that the compromised data will not impact Internet Banking, ATM transactions, and telephone banking services; customers can continue using their cards with confidence," Ford added. "This is because 'card present' transactions require additional information that would be encoded on the magnetic strip, and for 'card not present' transactions, the card security code (CVC or CVV2) would be required to transact business."
The HSBC breach follows a similar breach this past summer at JPMorgan Chase, exposing information on 76 million households and 7 million small businesses. While the exposed data in that breach was similarly limited -- just names, addresses, phone numbers and email addresses -- several security experts noted that the stolen information could be leveraged to perform targeted attacks.
According to SafeNet's Breach Level Index for the third quarter of 2014, more than 183 million customer accounts and data records containing personal or financial information were either stolen or lost in 320 data breaches between July and September 2014.
"Consumers' heads must be spinning as criminals are easily getting access to their credit card, banking and personal information at every turn," SafeNet chief strategy officer Tsion Gonen said in a statement. "Companies should assume a breach and plan accordingly. They need to implement technologies and programs that minimize the impact of a breach on top of the traditional prevention. As it is, these technologies are just not being used by to the fullest extent by either consumers or companies."
"While it’s not surprising that sophisticated cybercriminals are continuing to attempt these breaches, what is surprising is that again only 1 percent of breached records had been encrypted," Gonen added. "Now is the time for customers to demand that their personal information be encrypted by companies."
Photo courtesy of Shutterstock.