All is relatively well here at Woesnotgone Meadow, where everyone has above average bandwidth. The weather has been unusually cold earlier this week. This has kept many of the residents inside. With the activities limited by the cold, many people worked on their online banking, but not with HSBC Bank.
HSBC Bank has a presence in several countries. Notably for this case is the HSBC Bank subsidiary located in the US. Their system was attacked and compromised. The bank learned of this unauthorized access between October 4 through the 14th, 2018. The attackers were able to exfiltrate data, which was the target, with the client’s names, addresses, date of birth, account numbers, transaction histories, payee details, and balances. With this data, the attackers and whomever the data is sold to on the darkweb, have the ability to make the affected parties life “interesting” for over the next decade. This data allows for the unauthorized parties to use the identity to falsely open accounts, access other websites the clients may have accounts, and overall keep the persons monitoring their credit reports.
This affected thousands of online customers of HSBC Bank USA. The bank did not publish the full amount but did state this number was less than 1% of the US customers. Based on this, the affected parties could number up to 12,000 persons. This was the initial estimate and may increase as time passes and the forensic review continues. The bank, per California state law, notified the California Attorney General, as the breach affected 500 or more California residents.
The bank, attempting to be the good corporate citizen and limit liability, suspended the affected online accounts. The bank also in response to the compromise worked to improve their client authentication process. They also recommended the clients update their passwords and add security features to their login. This included the usual recommendation of using a unique password and changing these regularly.
The compromise was due to some form of a lack of cybersecurity. HSBC Bank has not however published how this occurred. The details noted so far seem to indicate this was a credential stuffing attack. This vulnerability is so usable for the attackers due to the users reusing the same username and passwords with the different website logins. Here, the credentials from one login and tried in other likely used websites and services.
If anyone in the Meadow is using the same logins or passwords for multiple websites, you may want to change these to something unique.
Thanks for visiting Woesnotgone Meadow, where the encryption is strong, and the O/Ss are always using the latest version.
Resources
E Hacking News. (2018, November 7). HSBC online banking customers’ data compromised: Confirms the bank. Retrieved from https://www.ehackingnews.com/2018/11/hsbc-online-banking-customers-data.html
HSBC. (2018, November 2). Notice of data breach. Retrieved from https://oag.ca.gov/system/files/Res%20102923?20PIB%20Main%20v3_1.pdf
Nichols, S. (2018, November 6). HSBC now stands for hapless security, became compromised: Thousands of customer files snatched by crims. Retrieved from https://www.theregister.co.uk/2018/11/06/hsbc_security_broken/
Winder, D. (2018, November 6). HSBC bank USA admits breach exposing account numbers and transaction history. Retrieved from https://www.forbes.com/sites/daveywinder/2018/11/06/hsbc-bank-usa-admits-breach-exposingaccount-numbers-and-transaction-history/#394417d35af3
No comments:
Post a Comment