HSBC Reports Accidental Exposure of Customer Bankruptcy InfoSoftware 'Bug' Revealed Personal Data Online An undisclosed number of HSBC customers had personal data exposed online about their bankruptcy proceedings, according to a data breach notification letter dated November 20 and sent to the New Hampshire attorney general's office. The letter was made public last week.
The bank says a bug in its imaging software - which should have redacted sensitive data about customers going through Chapter 13 bankruptcy proceedings -- ended up exposing the proof of claim forms that were filed electronically. The "bug" was discovered by HSBC Taxpayer Financial Services, Inc. on July 9, 2009. The notification letter says the information turned out to be viewable "as a result of the deficiency in the software used to save imaged documents." The exposed data included claim forms filed between May 1, 2007 and October 17, 2009.
HSBC did not say what the problem was with the imaging software, but says a limited number of customers were affected. The company sent letters to affected customers in October and is offering them one year of free credit monitoring.
Some customers of the following HSBC companies are affected: HSBC Taxpayer Financial Services, Beneficial New Hampshire and Household Finance Corporation. The exposed data may include HSBC credit card, line-of-credit or mortgage information, the company says.
Based in London, HSBC is one of the largest banking and financial services companies in the world. HSBC lists assets of more than $390 billion, according to the Federal Reserve's list of top 50 Bank Holding Companies.
Analysis of Breach
If the exposed data was truly due to a "bug" in the software, then there isn't much HSBC could have done technically, says Matt Davis, Audit and Compliance principal practice lead at SecureState, a Cleveland, OH-based risk management assessment firm. "In most cases, these 'bugs' are actually misconfigurations of the software," Davis says.
Often, Davis adds, vendors are required to provide a technical implementation guide that says how to install software properly. "When doing PCI DSS audits, it's one of the first things I look for with clients using commercial software -- to see if they have that guide and followed it," he says. "Unlike electronics manuals, in these cases, you definitely need to read the instructions."
What HSBC should have done, he says, is some sort of audit or assessment of the application to ensure the effectiveness of the encryption/redact controls. "It's the old 'trust but verify.' If you think about it, the testing necessary was simply sampling the records. It's a bit sad really, as it looks like they were trying to do the right thing."