HSBC disclosed a security incident earlier this week, saying that a small number of U.S.-based bank accounts were breached.
In a letter template sent to the California Attorney General’s office, the bank said it became aware of online accounts being accessed by unauthorized users between Oct. 4 and Oct. 14. The bank started notifying affected customers on Tuesday.
Once the company was made aware of the unauthorized activity, it suspended online account access.
“HSBC regrets this incident, and we take our responsibility for protecting our customers very seriously,” a spokesperson for the bank said. “We responded to this incident by fortifying our log-on and authentication processes, and implemented additional layers of security for digital and mobile access to all personal and business banking accounts. We have notified those customers whose accounts may have experienced unauthorized access, and are offering them one year of credit monitoring and identity theft protection service.”
The company says the attackers accessed less than 1 percent of the bank’s U.S. customer base.
The company didn’t reveal exactly how the breaches occurred, but the information released by the bank points to credential stuffing, that is, taking passwords discovered in other breaches and brute-forcing them against HSBC online accounts.
Attackers that breached accounts were able to access name, mailing address, phone number, email address, date of birth, account numbers, account types, account balances, transaction history, payee account information, and statement history.
The London-headquartered bank is the 15th largest bank in the U.S., with $201.3 billion in assets according to S&P Global Market Intelligence.