HSBC has experienced a data breach affecting some of its U.S. banking customers.
According to a letter to customers shared by the California Attorney General’s Office, customer accounts were accessed between October 4 and October 14, with attackers able to steal names, dates of birth, account numbers, transaction histories, account balances, and payee account information. The attackers could also access contact information such as mailing addresses, phone numbers, and email addresses for affected customers.
“HSBC regrets this incident, and we take our responsibility for protecting our customers very seriously,” the company said in a statement shared with Fast Company. “We responded to this incident by fortifying our log-on and authentication processes, and implemented additional layers of security for digital and mobile access to all personal and business banking accounts. We have notified those customers whose accounts may have experienced unauthorized access, and are offering them one year of credit monitoring and identity theft protection service.”
So far, the bank hasn’t spotted evidence of fraud using the stolen credentials.
Less than 1% of U.S. customers were affected by the breach, the BBC reports. The bank has approximately 1.4 million customers in the United States.
The incident is believed to be a “credential stuffing” attack, MarketWatch reports, where attackers take usernames and passwords captured from one breach and use them to breach additional sites where people reused those credentials.
“We are advising our consumers to protect access to their banking accounts by regularly changing their passwords, and by using unique passwords they are not using elsewhere, including on any social media accounts,” according to HSBC.