HSBC Finance Corporation has begun notifying an undisclosed number of consumers that their mortgage account information was inadvertently exposed on the internet.
The firm believes the exposure began sometime towards the end of 2014 and continued until March 27, 2015, when they learned of the breach. The compromised information includes customers’ names, account numbers, Social Security numbers and old account information, including some telephone numbers.
The breach affected customers of the firm’s subsidiaries, including Beneficial Financial I, Inc., Beneficial Homeowner Service Corporation, Beneficial Maine, Inc., Beneficial Massachusetts, Inc., Beneficial New Hampshire, Inc., Household Finance Corporation II, Household Finance Corporation of Alabama,
“HSBC’S negligence with personal sensitive data is another symptom of the overall disregard of protecting data Richard Blech, CEO, Secure Channels, via email. “HSBC wasn’t breached but they were lazy, which would have ended up with a breach if they hadn’t released the info themselves. Ironically this would not have been a news story if they had simply encrypted the sensitive data in the first place leaving only unreadable and useless bits and bytes if leaked.”
TK Keanini, CTO of Lancope, added that HSBC is a very attractive target.
“HSBC is a connected business and by that I mean connected to subsidiaries, to partners, and to consumers,” he said. “Attackers know this and know that they only need to find a single entry point and once in, they can start to operate across this connected business. HSBC is like any other business today, highly connected and digitally dependent. Let us just hope that the right level of telemetry is on the network itself so that the right level of forensics can ensure that everything known about the breach is known for remediation. These threats often leave 'doors' to get back in because they know they will be discovered at some point.”
He also noted that this breach, along with all the others, demonstrate that networks need to be retrofitted with a level of accounting that leaves the attacker no place to hide. This must be done prior to incident and must be made standard. Once in place, state of the art anomaly detection is the countermeasure for this threat.