On Monday, an undisclosed number of HSBC’s customers received a letter notifying them of a data breach.
HSBC has not confirmed the number of affected customers or if the attack impacted international or U.S. customers only. While consumers wait for the company to release more details, they should be aware that possibly exposed information could include full names, mailing addresses, phone numbers, email addresses, date of birth, account numbers, account types, account balances, transaction histories, payee account information, statement histories, and more.
“HSBC became aware of online accounts being accessed by unauthorized users between October 4, 2018 and October 14, 2018,” the bank wrote in a data breach notification letter submitted to Californian authorities. Also in the letter, the bank shared they believe the thieves gained access via a password-guessing technique often referred to as a credentials stuffing attack. This is when hackers try username and password combinations obtained during other data breaches, hoping that some people might have reused the same username and password combination on some of their other accounts.
Following a data breach, any potentially impacted consumers should take extra measures to stay safe and secure on and offline. They should monitor all activities on their financial and credit card accounts, change their user name and password on any account that shared the info of the account that was compromised (and all others for good measure), lock down their login information by using two-factor authentication, review any information from their insurance companies and/or explanation of benefits, and we strongly urge everyone to sign up for an identity protection service that includes credit and identity monitoring. HSBC is offering to pay for credit monitoring and identity theft protection for all impacted users. However, everyone should be weary that not all monitoring services will protect them equally. We encourage individuals who are evaluating identity protection services, and businesses who are evaluating such third-party services, to provide identity monitoring in addition to credit monitoring, and also compare the monitoring capabilities and the quality of the customer service.
Comprehensive identity monitoring services should utilize automated monitoring AND human threat intelligence for its internet (surface, deep and dark web) surveillance and compromised credential monitoring. The monitoring should also include alerts so that if a customer’s information is detected, they can quickly assess and work with resolution experts to minimize any impact.
Some recommended information to monitor includes:
- Login credentials for various sites
- Social Security number
- Email addresses
- Date of birth
- Debit/credit card numbers
- Bank account numbers
- Insurance card/policy number
- Drivers’ license number
- Loyalty card numbers
- Affinity card numbers
- Passport number
To learn more about protecting your customers’ and employees’ data with Generali Global Assistance identity and digital protection, request a demo.