HSBC Admits Data Loss, Apologizes to Customers

HSBC’s Swiss subsidiary HSBC Private Bank SA admitted Thursday that a former employee stole records on 15,000 clients and passed them to French government authorities.

The company apologized to its customers for the breach.

“We deeply regret this situation and unreservedly apologise to our clients for this threat to their privacy,” Alexandre Zeller, chief executive of the Swiss bank, said in a statement issued this morning. “We are determined to protect our clients’ interests and are taking every necessary measure to do so, actively contacting all our clients with Swiss-based accounts.”

The theft took place three years ago, the bank said, and is limited to accounts in Switzerland.

The data will not allow outsiders access to these bank accounts, the bank said. However, the breach does expose customers to potential prosecution by tax authorities.

Last year, the French government admitted that it had obtained a list of 3,000 French clients of HSBC from numerous sources, including a former HSBC employee who was identified by French prosecutors as Herve Falciani.

“The Swiss authorities confirmed to us that they will not support the use of the stolen data to answer requests from foreign authorities,” HSBC said in a statement. “The French authorities have informed the Swiss authorities that the data they hold will not be used inappropriately.”

Last month, German Finance Minister, Wolfgang Schaeuble said that Germany was willing to pay for stolen data in pursuit of tax evaders.

“As an HSBC customer, I’m appalled,” said Steve Markey, founder and principal of Philadelphia-based compliance and security firm nControl LLC. “As a security and privacy expert, controls should be in place.”

According to Markey, up to 70 percent of all security breaches are a result of insider threats.

“An international firm like HSBC should have these controls in place,” he told Securities Industry News. “It’s excusable.”

The bank has already taken steps to improve security, the bank said, including spending 100 million Swiss francs (US$93 million) on system and security upgrades.

In addition, some media reports say that an additional 9,000 closed accounts were also affected by this breach, bringing the total to 24,000, but the bank has not confirmed this as of deadline.

There was no information available about whether U.S.-based account holders were affected.

However, late last year, the bank filed a statement with the New Hampshire attorney general admitting that customer information was accidentally exposed in another security incident, as a result of “software error.” That problem has since been resolved, the bank said.

Read full article at Information Management. Article originally appeared in Securities Industry News, which has since closed down.