When the news of the data leakages – apparently caused by a rogue member of the HSBC staff – were first reported last December, it was thought that fewer than 10 accounts were involved. At the time, Herve Falciani, a former HSBC IT specialist, was reported to have stolen the data and passed it to the French tax authorities.
HSBC has now admitted it has now discovered that 15 000 existing and 9000 former clients were affected.
The bank's Swiss operation says it is now in the process of contacting those clients – and any others with Swiss private bank accounts – to explain the situation and apologise. Reports suggest that the private bank has as many as 100 000 clients worldwide.
According to the Bloomberg newswire, HSBC says it only realised the full extent of the data leak earlier this month when the Swiss authorities returned the data in their possession.
Alexandre Zeller, chief executive of HSBC's Swiss private bank, said: "We deeply regret this situation and unreservedly apologise to our clients for this threat to their privacy. We are determined to protect our clients' interests and are taking every necessary measure to do so, actively contacting all our clients with Swiss-based accounts."
When news of the data leak broke late last year, it triggered a diplomatic and banking row between France and Switzerland, ending with the French authorities saying they would transfer the data to their counterparts in Switzerland. The French government, however, said it would use the information to pursue French citizens for any unpaid taxes.
Since news of the data leak – which was originally ascribed to a single rogue employee – broke late last year, HSBC Switzerland says it has spent more than £60m on improving its IT security systems.
Aside from the serious dent in the reputation of Swiss bankers for their discretion, the revelations have drawn surprise from a number of IT security sources.
Udi Mokady, president of Cyber-Ark, the data security vendor that specialises in secure audited sharing of data within organisations, said he was surprised, as the data theft appears to be down to a lack of privileged account controls at the bank.
"Here is yet another powerful example of the significant risk of unmanaged and unmonitored privileged accounts", he said, adding that failing to control privileged accounts on an organisation's IT systems is a high-risk security option.
"We are seeing that organisations now get the message about the high risk of not controlling their privileged accounts and super-users. There are proven processes, procedures and products available to help address exactly this type of privileged identity risk", he said.
"We are seeing a lot of interest in privilege user management amongst our major customers. Privileged users often have multiple contacts in their accounts and this can pose a potentially serious security risk to an organisation if a high privilege account is compromised", he added.
As reported earlier this week by Infosecurity, Cyber-Ark will launch v6.0 of its Privileged Identity Management suite of software at Infosecurity Europe in London next month.