HSBC admits to understating data theft

HSBC suffered a major data breach three years ago

HSBC has admitted that it grossly understated the extent of a recent customer data heist.

The company has released a statement saying that the theft was perpetrated by a former IT employee about three years ago, and affected approximately 15,000 clients who had accounts with the bank in Switzerland before October 2006.

“We deeply regret this situation and unreservedly apologise to our clients for this threat to their privacy,” said Alexandre Zeller, chief executive of HSBC Private Bank (Suisse) SA. “We are determined to protect our clients’ interests and are taking every necessary measure to do so, actively contacting all our clients with Swiss-based accounts."

HSBC said originally that the incident had affected just 10 clients, and the apparent seriousness of the breach highlights some concerning security trends, according to experts.

Steve Moyle, founder and chief technology officer at security firm Secerno, argued that the theft was particularly concerning because it was committed by an insider and covered a lot of bases, and criticised the bank for failing to disclose the full details.

"How could HSBC identify 'fewer than 10' affected, and then have a breach that in reality numbered in the tens of thousands?" he asked.

Other security companies were also critical of the bank. "Here is yet another powerful example of the significant risk of unmanaged and unmonitored privileged accounts," said Udi Mokady, president and chief executive at Cyber-Ark.

"We are seeing that organisations now get the message about the high risk of not controlling their privileged accounts and super users."

Speaking at the RSA Conference earlier this month, Kimberley Kiefer Peretti, senior counsel at the US Department of Justice, stressed the importance of firms coming clean and being involved in data theft investigations, as it helps to speed up the resolution process.

"In every case where we had a successful prosecution it was because of close collaboration with the victim," she said.

Financial organisations have come under increasing scrutiny from a range of sources this month. A recent study carried out for Compuware by the Ponemon Institute found that many lack proper security protection and procedures.

"One of the most important things a company can do to assure their future success is to plug the holes in their security policies that were demonstrated in this study," said Ponemon Institute chairman and founder Larry Ponemon.

"While there is a great deal of progress being made, there is still a long way to go."