HSBC Confirms Massive Database Security Breach
The bank came clean this week, admitting that data stolen by a former IT specialist exposed a lot more clients to possible identity theft than it previously suspected.
HSBC this week confirmed that a data theft it first uncovered last year impacted more than 24,000 people, or 15 percent of its total clients, a far cry from the 10 customers it originally said were affected.
The London-based private bank on Thursday said approximately 15,000 current clients and another 9,000 former clients with HSBC accounts in Switzerland had their account data swiped in 2006.
HSBC officials said the account information was stolen by Herve Falciani, a former IT specialist who was based in HSBC's Geneva branch. Falciani later tried unsuccessfully to sell the client data files to Lebanese banks before handing it over to French tax authorities, presumably for the purpose of tracking down French residents who tried to hide assets in the private foreign bank.
"We deeply regret the situation and unreservedly apologize to our clients for this threat to their privacy," Alexandre Zeller, CEO of HSBC Private Bank in Switzerland, said in a statement.
HSBC said it has made "significant improvements" to its data security procedures and technology in the interim, and invested more than $93 million to upgrade its computer systems and security procedures.
The private bank and its clients have dealt with a pair of damaging, high-profile data breaches in recent years.
In December, officials acknowledged that a bug in its imaging software accidentally revealed the confidential personal information of an unknown number of customers going through bankruptcy proceedings.
The data compromised by the bug in the imaging software included HSBC credit card account information, as well as line-of-credit and mortgage information included in Chapter 13 bankruptcy proof-of-claims that had been filed electronically.
In 2005, HSBC blamed an antiquated point-of-sale (POS) system for exposing the credit card information of more than 180,000 U.S.-based customers using its General Motors-branded MasterCard.
These security missteps have cost HSBC more than just its reputation.
In July, the British Financial Services Authority fined three HSBC firms a total of $5 million dollars for inadequate security controls, or a complete lack thereof -- the largest such fine in the UK to date.
A similarly embarrassing -- and potentially damaging -- security breach was reported earlier this year by U.S. financial services provider Lincoln National Corp.
Lincoln National officials in January admitted that more than 1.2 million customers' personal data may have been compromised after someone obtained a username and password to the company's portfolio management system.
The username and password was one of six shared credential sets that had been created as far back as 2002, and were shared among certain home-office and support staff to perform administrative functions and review client account activity.
HSBC officials said copies of a "significant portion" of the purloined data were returned to the bank March 3 by Swiss authorities, adding that it was conducting an internal investigation along with local law enforcement to identify the clients affected by the incident.
"We are determined to protect our clients' interests and are taking every necessary measure to do so, actively contacting all our clients with Swiss-based accounts," Zeller said.