HSBC Reports Accidental Exposure of Customer Bankruptcy Info

Software 'Bug' Revealed Personal Data Online An undisclosed number of HSBC customers had personal data exposed online about their bankruptcy proceedings, according to a data breach notification letter dated November 20 and sent to the New Hampshire attorney general's office. The letter was made public last week.

The bank says a bug in its imaging software - which should have redacted sensitive data about customers going through Chapter 13 bankruptcy proceedings -- ended up exposing the proof of claim forms that were filed electronically. The "bug" was discovered by HSBC Taxpayer Financial Services, Inc. on July 9, 2009. The notification letter says the information turned out to be viewable "as a result of the deficiency in the software used to save imaged documents." The exposed data included claim forms filed between May 1, 2007 and October 17, 2009.

HSBC did not say what the problem was with the imaging software, but says a limited number of customers were affected. The company sent letters to affected customers in October and is offering them one year of free credit monitoring.

Some customers of the following HSBC companies are affected: HSBC Taxpayer Financial Services, Beneficial New Hampshire and Household Finance Corporation. The exposed data may include HSBC credit card, line-of-credit or mortgage information, the company says.

Based in London, HSBC is one of the largest banking and financial services companies in the world. HSBC lists assets of more than $390 billion, according to the Federal Reserve's list of top 50 Bank Holding Companies.

Analysis of Breach

If the exposed data was truly due to a "bug" in the software, then there isn't much HSBC could have done technically, says Matt Davis, Audit and Compliance principal practice lead at SecureState, a Cleveland, OH-based risk management assessment firm. "In most cases, these 'bugs' are actually misconfigurations of the software," Davis says.

Often, Davis adds, vendors are required to provide a technical implementation guide that says how to install software properly. "When doing PCI DSS audits, it's one of the first things I look for with clients using commercial software -- to see if they have that guide and followed it," he says. "Unlike electronics manuals, in these cases, you definitely need to read the instructions."

What HSBC should have done, he says, is some sort of audit or assessment of the application to ensure the effectiveness of the encryption/redact controls. "It's the old 'trust but verify.' If you think about it, the testing necessary was simply sampling the records. It's a bit sad really, as it looks like they were trying to do the right thing."

About the Author

Linda McGlasson

Linda McGlasson

Managing Editor

Linda McGlasson is a seasoned writer and editor with 20 years of experience in writing for corporations, business publications and newspapers. She has worked in the Financial Services industry for more than 12 years. Most recently Linda headed information security awareness and training and the Computer Incident Response Team for Securities Industry Automation Corporation (SIAC), a subsidiary of the NYSE Group (NYX). As part of her role she developed infosec policy, developed new awareness testing and led the company's incident response team. In the last two years she's been involved with the Financial Services Information Sharing Analysis Center (FS-ISAC), editing its quarterly member newsletter and identifying speakers for member meetings.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.