Two HSBC breaches with similar circumstances
Technorati Tag: Security Breach
Date Reported:
5/28/08
Organization:
Hong Kong and Shanghai Banking Corporation ("HSBC")
Contractor/Consultant/Branch:
HSBC Branch at Bayview & Major Mackenzie (CA)
HSBC Branch in UK (Cheshire)
Victims:
Customers
Number Affected:
Unknown, "hundreds of bank customers" in Canada
Types of Data:
"personal information" in Canada, and "credit card applications and overdraft review dates, photocopies of a passport, driving licences, a marriage certificate, bank account sort codes and account numbers" in the UK
Breach Description:
Two breaches were reported in the past week affecting HSBC customers in Canada and the UK. In Canada, "A Richmond Hill man was driving in his neighbourhood Saturday night when he spotted a bank bag full of cancelled cheques on the side of the road." In the UK "papers, which relate to current bank accounts and applications, were found in a quiet road in Sale by children playing in the street."
Reference URL:
CTV News Toronto
Wigan Observer
Report Credit:
CTV News Toronto and Richard Bean at the Wigan Observer
Response:
From the online sources cited above:
In Canada:
A Richmond Hill man was driving in his neighbourhood Saturday night when he spotted a bank bag full of cancelled cheques on the side of the road.
He took the bag to a police station after a quick peek inside revealed the personal information of hundreds of bank customers.
[Evan] Information security aims to reduce the risk of unauthorized disclosure, modification, and destruction of confidential information to an "acceptable level" no matter what form the confidential information takes. Unauthorized disclosure of confidential information on paper is just as damaging as unauthorized disclosure of confidential information on a backup tape, CD, laptop, etc.
he was in the Bayview Avenue and Major Mackenzie Drive area when he spotted the redbag at the side of the road with the HSBC bank logo emblazoned at the front.
[Evan] I presume that this bag was lost in shipment. Was the information in the bag or the bag itself inventoried? Do you suppose the bank would have ever noticed that the bag was missing?
the bag belonged to the HSBC branch at Bayview and Major Mackenzie
"There were about 300 of them," he told CTV Toronto Saturday night. "There were more documents in there destroyed by the rain."
he tried to contact the bank but didn't have much luck
York Regional Police are speaking with bank officials as they investigate how the sensitive information ended up on the side of a road.
In the UK:
An investigation is under way after bank details of Wigan customers were found dumped in Cheshire.
[Evan] Does "dumped" mean thrown away, like in a dumpster?
The confidential 60-page sheaf of A4 documents, featured lists of customers of high street bank HSBC.
Among the information contained in the papers were credit card applications and overdraft review dates, photocopies of a passport, driving licences, a marriage certificate, bank account sort codes and account numbers.
[Evan] Sheesh. A bad guy (or gal) could do a helluva lot of damage with this information.
The papers, which relate to current bank accounts and applications, were found in a quiet road in Sale by children playing in the street.
Lynne Stewart, 47, whose children found the documents, has informed the police and is waiting for them to collect them
She said: "I would be extremely worried and angry if I was a customer of theirs because this is just the type of stuff that criminal gangs would love to get their hands on." She has now filled a bag with as many of the computer print-offs she could find, although fears that many more have blown away on the windiest day of the year.
The papers were initially found by her nine-year-old daughter Xxxxxx who then alerted her brother Xxxxxx, 12.
[Evan] My comment here is not related to the breach itself, but I feel a little uncomfortable using children's names publicly.
Neither understood the significance of the papers – although Mrs Stewart immediately did.
She said: "Reece had been to get his ball back after it had bounced into a sub-station and says he saw a pile on top of the transformer and they were whistling around in the gale.
"But it was Jessica who grabbed one as it blew past her in the street and showed it to me.
"I have counted at least 15 pages of lists of names and account details before you even start to talk about letters applying for credit cards and photo copies of personal documents which people have sent to the bank when they have made these applications.
"I find it very alarming that this kind of information is just blowing about in the street.
[Evan] No doubt!
"Surely in this day and age when ID fraud is all over the news the bank should be more careful about this information being printed out on paper."
A spokesman for HSBC, which has branches in Mesnes Road and Wallgate, said: "HSBC is investigating the find of documents found in Greater Manchester over the weekend.
"The security of our customers' personal information is of paramount importance and we have stringent procedures in place to guard against their loss.
[Evan] Is everyone aware of and following the "stringent procedures"?
"Without speculating on how this occurred, something has clearly gone wrong, and we are extremely disappointed to hear of these particular circumstances.
"When the cause of the incident has been determined, we will be reviewing our processes to ensure this does not happen again."
[Evan] In my opinion, promises that are made but cannot be fulfilled lead to a loss of confidence.
A UK Victim's Reaction:
"I can't believe it. The first I knew was when I was contacted by the person who found them. It is unforgivable that the bank would firstly lose such confidential details and then fail to tell its clients what had happened."
"I have been with this bank since I was a young lad and it is very disappointing indeed."
Commentary:
Let's take this from both sides for a second. Poor information security practice led to these two breaches. Real lives are affected when these things happen and HSBC should be more careful in the way they protect confidential personal information. I count five publicly reported breaches from HSBC in the past six months including the two in this post. There are likely more that weren't reported publicly as well.
Now the other side, for arguments sake. HSBC is a huge company with ~10,000 offices in 83 countries and territories around the world. I presume that they also have hundreds of thousands of customers (maybe millions). Information security breaches in companies this large and diverse are bound to happen. It isn't possible to eliminate them, so the best you can hope to do is reduce risk to a level that is "acceptable" to management and shareholders. Information security personnel are not in the risk elimination business, we are in the risk reduction business. This is reality.
Past Breaches:
May, 2008 - HSBC loses a server in branch renovation
April, 2008 - HSBC loses disc with 370,000 customer details
February, 2008 - Five-year-old wanders into bank branch after-hours
Date Reported:5/28/08
Organization:
Hong Kong and Shanghai Banking Corporation ("HSBC")
Contractor/Consultant/Branch:
HSBC Branch at Bayview & Major Mackenzie (CA)
HSBC Branch in UK (Cheshire)
Victims:
Customers
Number Affected:
Unknown, "hundreds of bank customers" in Canada
Types of Data:
"personal information" in Canada, and "credit card applications and overdraft review dates, photocopies of a passport, driving licences, a marriage certificate, bank account sort codes and account numbers" in the UK
Breach Description:
Two breaches were reported in the past week affecting HSBC customers in Canada and the UK. In Canada, "A Richmond Hill man was driving in his neighbourhood Saturday night when he spotted a bank bag full of cancelled cheques on the side of the road." In the UK "papers, which relate to current bank accounts and applications, were found in a quiet road in Sale by children playing in the street."
Reference URL:
CTV News Toronto
Wigan Observer
Report Credit:
CTV News Toronto and Richard Bean at the Wigan Observer
Response:
From the online sources cited above:
In Canada:
A Richmond Hill man was driving in his neighbourhood Saturday night when he spotted a bank bag full of cancelled cheques on the side of the road.
He took the bag to a police station after a quick peek inside revealed the personal information of hundreds of bank customers.
[Evan] Information security aims to reduce the risk of unauthorized disclosure, modification, and destruction of confidential information to an "acceptable level" no matter what form the confidential information takes. Unauthorized disclosure of confidential information on paper is just as damaging as unauthorized disclosure of confidential information on a backup tape, CD, laptop, etc.
he was in the Bayview Avenue and Major Mackenzie Drive area when he spotted the redbag at the side of the road with the HSBC bank logo emblazoned at the front.
[Evan] I presume that this bag was lost in shipment. Was the information in the bag or the bag itself inventoried? Do you suppose the bank would have ever noticed that the bag was missing?
the bag belonged to the HSBC branch at Bayview and Major Mackenzie
"There were about 300 of them," he told CTV Toronto Saturday night. "There were more documents in there destroyed by the rain."
he tried to contact the bank but didn't have much luck
York Regional Police are speaking with bank officials as they investigate how the sensitive information ended up on the side of a road.
In the UK:
An investigation is under way after bank details of Wigan customers were found dumped in Cheshire.
[Evan] Does "dumped" mean thrown away, like in a dumpster?
The confidential 60-page sheaf of A4 documents, featured lists of customers of high street bank HSBC.
Among the information contained in the papers were credit card applications and overdraft review dates, photocopies of a passport, driving licences, a marriage certificate, bank account sort codes and account numbers.
[Evan] Sheesh. A bad guy (or gal) could do a helluva lot of damage with this information.
The papers, which relate to current bank accounts and applications, were found in a quiet road in Sale by children playing in the street.
Lynne Stewart, 47, whose children found the documents, has informed the police and is waiting for them to collect them
She said: "I would be extremely worried and angry if I was a customer of theirs because this is just the type of stuff that criminal gangs would love to get their hands on." She has now filled a bag with as many of the computer print-offs she could find, although fears that many more have blown away on the windiest day of the year.
The papers were initially found by her nine-year-old daughter Xxxxxx who then alerted her brother Xxxxxx, 12.
[Evan] My comment here is not related to the breach itself, but I feel a little uncomfortable using children's names publicly.
Neither understood the significance of the papers – although Mrs Stewart immediately did.
She said: "Reece had been to get his ball back after it had bounced into a sub-station and says he saw a pile on top of the transformer and they were whistling around in the gale.
"But it was Jessica who grabbed one as it blew past her in the street and showed it to me.
"I have counted at least 15 pages of lists of names and account details before you even start to talk about letters applying for credit cards and photo copies of personal documents which people have sent to the bank when they have made these applications.
"I find it very alarming that this kind of information is just blowing about in the street.
[Evan] No doubt!
"Surely in this day and age when ID fraud is all over the news the bank should be more careful about this information being printed out on paper."
A spokesman for HSBC, which has branches in Mesnes Road and Wallgate, said: "HSBC is investigating the find of documents found in Greater Manchester over the weekend.
"The security of our customers' personal information is of paramount importance and we have stringent procedures in place to guard against their loss.
[Evan] Is everyone aware of and following the "stringent procedures"?
"Without speculating on how this occurred, something has clearly gone wrong, and we are extremely disappointed to hear of these particular circumstances.
"When the cause of the incident has been determined, we will be reviewing our processes to ensure this does not happen again."
[Evan] In my opinion, promises that are made but cannot be fulfilled lead to a loss of confidence.
A UK Victim's Reaction:
"I can't believe it. The first I knew was when I was contacted by the person who found them. It is unforgivable that the bank would firstly lose such confidential details and then fail to tell its clients what had happened."
"I have been with this bank since I was a young lad and it is very disappointing indeed."
Commentary:
Let's take this from both sides for a second. Poor information security practice led to these two breaches. Real lives are affected when these things happen and HSBC should be more careful in the way they protect confidential personal information. I count five publicly reported breaches from HSBC in the past six months including the two in this post. There are likely more that weren't reported publicly as well.
Now the other side, for arguments sake. HSBC is a huge company with ~10,000 offices in 83 countries and territories around the world. I presume that they also have hundreds of thousands of customers (maybe millions). Information security breaches in companies this large and diverse are bound to happen. It isn't possible to eliminate them, so the best you can hope to do is reduce risk to a level that is "acceptable" to management and shareholders. Information security personnel are not in the risk elimination business, we are in the risk reduction business. This is reality.
Past Breaches:
May, 2008 - HSBC loses a server in branch renovation
April, 2008 - HSBC loses disc with 370,000 customer details
February, 2008 - Five-year-old wanders into bank branch after-hours
Posts Atom 1.0
Comments