HSBC confirms security breach exposing 2.7 million credit cards
Get a powerful Linux Dual-Core dedicated server for less than $2.67 a day!Tweet Share on Twitter.
November 14, 2014
HSBC has confirmed a security breach exposing the details of 2.7 million credit card accounts. However, the bank has made a decision not to reissue cards after saying that the data exposed is not enough to make fraudulent transactions.
The compromise (limited to the international bank's business in Turkey) exposed credit card numbers, expiration dates, names and the associated HSBC account number of those card holders.
The security breach was detected internally and has not been linked to any fraudulent transactions, as a notice by HSBC Turkey explains.
The bank said it "identified the attack in the past week through its internal controls".
All too often, serious security breaches are only caught by third parties or government agencies, sometime after they've been comitted, rather than by the victim itself.
Trey Ford, global security strategist at Rapid7, the developers of Metasploit, credited HSBC Turkey for spotting the breach quickly.
"A couple of things stand out-– the attack happened last week, and they’ve caught it already, and they caught it themselves," Ford said. "This is rather impressive, given that the vast majority of security breaches are detected by third parties, and often not for several months."
HSBC Turkey has notified the Banking Regulation and Supervision Agency of Turkey and other relevant authorities about the security breach.
An investigation aimed at identifying the criminals behind the hack has begun. In the meantime banking customers should continue to use their account as normal, HSBC Turkey advises.
The bank said that it is "not possible to print cards and withdraw money from ATMs with the compromised information" and likewise "not possible to make any transactions through internet banking or telephone banking with the compromised information".
"Our customers can continue to use internet banking and telephone banking confidently," it added.
Ford said this response was reasonable in the circumstances. "HSBC is underscoring that cards will not be re-issued at this time, and that the compromised data will not impact Internet Banking, ATM transactions, and telephone banking services.
Customers can continue using their credit cards with confidence. This is because 'card present' transactions require additional information that would be encoded on the magnetic strip, and for 'card not present' transactions, the card security code (CVC or CVV2) would be required to transact business.”
Although cybercrooks may be missing several pieces of information needed to carry out fraud, there's a very real possibility that they might attempt to hoodwink prospective marks into handing over this information through phishing scams or similar trickery.
Extra vigilance would be prudent and we'd be inclined to support HSBC Turkey customers who went further and requested a reissued card.
Get a powerful Linux Dual-Core dedicated server for less than $2.67 a day!