HSBC has suffered a serious data breach in the US retail banking business. Scammers were given access to customer account information, bank statement and other personal information.
The incident occurred between October 4 and 14, HSBC said Tuesday. The bank said it had discontinued online access to the affected accounts immediately and did not know of any customers who had suffered a financial loss.
The violation is the latest in a series of high-profile security incidents for large financial services groups. Although those affected were significantly less affected than previous violations by companies such as Equifax and JPMorgan, fraudsters were able to access more detailed customer information.
A spokesman for the bank said, "HSBC regrets this incident and we take our responsibility to protect our customers very seriously."
HSBC said it has strengthened the sign-up and authentication process and implemented additional layers of security as a result of operations. It also offered affected customers one year of free credit monitoring and identity theft prevention services.
Banks have invested significant amounts of money in cybersecurity in recent years, but are particularly vulnerable to attacks that exploit carelessness of customers or employees.
HSBC said its attackers used a method called "credential stuffing". Criminals use password information and data collected by other websites to gain access to accounts.
The bank called on clients to use unique passwords for their accounts and, in particular, to avoid using the same credentials they use on social media.
The biggest offense against HSBC's US bank competitor was an incident at JPMorgan in 2014, which revealed names, addresses, phone numbers, and e-mails from nearly two-thirds of US households. A scam at the credit agency Equifax last year now affected about 143 million consumers.
In contrast, less than 1 percent of HSBC's 1.4 million US clients were affected by the recent breach. However, according to a letter sent by the bank and published by the California authorities, attackers were able to access a wider range of data, including bank account numbers and transaction histories.