HSBC loses a server in branch renovation
Technorati Tag: Security Breach
Date Reported:
5/7/08
Organization:
Hong Kong and Shanghai Banking Corporation ("HSBC")
Contractor/Consultant/Branch:
Kwun Tong branch
Victims:
Customers
Number Affected:
159,000
Types of Data:
"name, account number and transactions of customers"
Breach Description:
"HONG KONG, May 8 (Xinhua) -- The Hong Kong branch of banking giant Hongkong and Shanghai Banking Corporation Limited (HSBC) has lost a computer server with client data involving about 159,000 accounts, the bank confirmed on Wednesday."
Reference URL:
IDG Magazines Norge
Xinhua News Agency
The Standard
Report Credit:
The Breach Blog was notified by an anonymous tip at 11:15AM on May 7th. It just took me a while to get it posted. Sorry for the delay!
Response:
From the online sources cited above:
HSBC has admitted losing a server containing data on 159,000 customers.
[Evan] How do you lose a server?
The server went missing on 26 April from its Kwun Tong district branch in Hong Kong during renovation work
The server held customer names, account numbers, transaction amounts and transaction types
HSBC said the server is protected by "multiple layers of security" and the risk of data breaches and fraud is "deemed to be low".
[Evan] What kind of "multiple layers of security"? This is one of those statements that is misused and overused. Without details, who knows what they are talking about.
the server contained no PIN codes or online banking login credentials.
The bank said it has reported the incident to the police, the Hong Kong Monetary Authority, and the Hong Kong privacy commissioner.
The case has been classified as theft.
[Evan] Ah, so HSBC didn't really "lose" the server? It was stolen.
The Monetary Authority has demanded that the bank contact all the affected customers and explain what measures could be taken to avoid potential losses thereof.
The bank is contacting customers, who will not be liable for any financial loss arising from any fraudulent activity as a result of the lost data.
Clients data are kept in a confidential manner. If any complaint arises, we will deal with it case by case, HSBC chairman Vincent Cheng Hoi-chuen said.
Internet Society chairman Charles Mok Nai-kwong said even though the server has been encrypted, there may still be ways to access the data.
[Evan] Charles Mok Nai-kwong states that the server was encrypted. This is a good thing.
"I do not know how advanced the system is or the skill of those who want to access the data. But if the server goes to the police, they will have ways to get the data," Mok said.
[Evan] This reminds me of a few stories I have read where authorities were unable to break commercially available encryption implementations. The one case that comes to mind was the case of the FBI unable to crack PGP encrypted PDAs captured from terrorists. If the encryption was implemented correctly and key management is sound, it would be very difficult for the police to access meaningful information.
Commentary:
What type of physical controls were present at the time of the server theft? Stuart King on his ComputerWeekly Risk management blog sums this up very well when he says "Spend all you want on boxes of tricks to stop the hackers getting in, but forget to lock the door to the servers and it's game over."
The last HSBC breach that we reported on The Breach Blog was also physical security related, see below.
Past Breaches:
February, 2008 - Five-year-old wanders into bank branch after-hours
Date Reported:5/7/08
Organization:
Hong Kong and Shanghai Banking Corporation ("HSBC")
Contractor/Consultant/Branch:
Kwun Tong branch
Victims:
Customers
Number Affected:
159,000
Types of Data:
"name, account number and transactions of customers"
Breach Description:
"HONG KONG, May 8 (Xinhua) -- The Hong Kong branch of banking giant Hongkong and Shanghai Banking Corporation Limited (HSBC) has lost a computer server with client data involving about 159,000 accounts, the bank confirmed on Wednesday."
Reference URL:
IDG Magazines Norge
Xinhua News Agency
The Standard
Report Credit:
The Breach Blog was notified by an anonymous tip at 11:15AM on May 7th. It just took me a while to get it posted. Sorry for the delay!
Response:
From the online sources cited above:
HSBC has admitted losing a server containing data on 159,000 customers.
[Evan] How do you lose a server?
The server went missing on 26 April from its Kwun Tong district branch in Hong Kong during renovation work
The server held customer names, account numbers, transaction amounts and transaction types
HSBC said the server is protected by "multiple layers of security" and the risk of data breaches and fraud is "deemed to be low".
[Evan] What kind of "multiple layers of security"? This is one of those statements that is misused and overused. Without details, who knows what they are talking about.
the server contained no PIN codes or online banking login credentials.
The bank said it has reported the incident to the police, the Hong Kong Monetary Authority, and the Hong Kong privacy commissioner.
The case has been classified as theft.
[Evan] Ah, so HSBC didn't really "lose" the server? It was stolen.
The Monetary Authority has demanded that the bank contact all the affected customers and explain what measures could be taken to avoid potential losses thereof.
The bank is contacting customers, who will not be liable for any financial loss arising from any fraudulent activity as a result of the lost data.
Clients data are kept in a confidential manner. If any complaint arises, we will deal with it case by case, HSBC chairman Vincent Cheng Hoi-chuen said.
Internet Society chairman Charles Mok Nai-kwong said even though the server has been encrypted, there may still be ways to access the data.
[Evan] Charles Mok Nai-kwong states that the server was encrypted. This is a good thing.
"I do not know how advanced the system is or the skill of those who want to access the data. But if the server goes to the police, they will have ways to get the data," Mok said.
[Evan] This reminds me of a few stories I have read where authorities were unable to break commercially available encryption implementations. The one case that comes to mind was the case of the FBI unable to crack PGP encrypted PDAs captured from terrorists. If the encryption was implemented correctly and key management is sound, it would be very difficult for the police to access meaningful information.
Commentary:
What type of physical controls were present at the time of the server theft? Stuart King on his ComputerWeekly Risk management blog sums this up very well when he says "Spend all you want on boxes of tricks to stop the hackers getting in, but forget to lock the door to the servers and it's game over."
The last HSBC breach that we reported on The Breach Blog was also physical security related, see below.
Past Breaches:
February, 2008 - Five-year-old wanders into bank branch after-hours
Posts Atom 1.0
Comments