Cyber Incident Victim: HSBC
Date:
Oct 2018
Location:
United States of America
Summary
A cybersecurity breach at HSBC involved unauthorized access to online customer accounts over a ten-day period, compromising sensitive personal and financial data. Exposed information included full names, mailing addresses, contact details, birthdates, account numbers, balances, transaction histories, and payee details. The bank suspended impacted accounts upon detection to prevent further intrusion and subsequently strengthened authentication protocols while implementing enhanced security layers for digital and mobile banking platforms. Affected customers were offered complimentary identity protection services for one year as part of the remediation efforts.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
HSBC Bank experienced unauthorized access to customer online accounts between October 4 and October 14, 2018, as disclosed in a November 2, 2018 filing with the California Attorney General's office under state breach notification laws. The bank detected compromised accounts during this 10-day window and immediately suspended online access for affected customers to prevent further intrusion. Exposed information included full names, mailing addresses, phone numbers, email addresses, dates of birth, account numbers, account types, balances, transaction histories, payee account details, and statement histories where available. The breach impacted personal banking customers with online accounts, though HSBC did not disclose the exact number of affected individuals beyond confirming California residents were involved. No business accounts were explicitly mentioned as compromised in the filing.
Upon discovering the incident, HSBC implemented enhanced security measures including fortified authentication protocols and additional protection layers for digital and mobile access across all personal and business banking platforms. The bank acknowledged responsibility for customer protection failures and offered impacted individuals one year of complimentary Identity Guard credit monitoring services. While transaction histories and account balances were accessed, HSBC's notice did not indicate fraudulent transactions resulted directly from the breach. The institution completed mandatory regulatory notifications within California's statutory timeframe but did not publicly disclose whether other jurisdictions or global operations were affected. Forensic investigation timelines and specific attacker methodologies remained undisclosed in the available filing documentation.