HSBC Finance recently began notifying an undisclosed number of mortgage customers that their personal information, including names, Social Security numbers, account numbers and some phone numbers, may have been mistakenly made available online in late 2014 and early 2015.
The company discovered the error on March 27, 2015, and began notifying those affected on April 9. All those affected are being offered one free year of credit monitoring and identity protection from Identity Guard.
"We are conducting a thorough review of the potentially affected records and have implemented additional security measures designed to prevent a recurrence of such an incident," HSBC stated in the notification letter [PDF]. "We have ensured that the information is no longer accessible publicly."
Those affected include customers of HSBC Finance subsidiaries Beneficial Financial I Inc., Beneficial Consumer Discount Company, Beneficial Homeowner Service Corporation, Beneficial Maine Inc., Beneficial Massachusetts Inc., Beneficial New Hampshire Inc., Household Finance Corporation II, Household Finance Corporation of Alabama, Household Financial Center Inc., and Household Realty Corporation.
Troy Gill, manager of security research at AppRiver, told eSecurity Planet by email that while HSBC hasn't stated how many people are impacted, the number of subsidiaries affected indicates that the total number of customers impacted by the breach is likely to be substantial.
And while HSBC hasn't said exactly how the data was inadvertently exposed, Gill said the fact that it was made available online indicates that it could have been accessed by countless individuals or groups. "With personal information including Social Security numbers being involved, this could have a severe impact for their account holders," he said.
Tripwire security and IT risk strategist Tim Erlin said HSBC's disclosure serves as a good example of breach notification laws in action. "We're finding out about this breach because HSBC has been required to notify residents of New Hampshire who were affected, but the notification laws vary across states and countries so that the extent and impact is obscured," he said.
"The notification describes data 'inadvertently made accessible via the Internet,' which might simply mean a spreadsheet shared where it shoudn't have been," Erlin added.