HSBC Breach of Customer Data ‘Inexcusable’

The theft of 15,000 records of HSBC Swiss account holders is “inexcusable,” according to a security expert   who provides consulting services to financial firms, and the bank should have taken steps to prevent the loss.

“As an HSBC customer, I’m appalled,” said Steve Markey, founder and principal of Philadelphia-based data security and privacy consulting firm nControl LLC whose clients include AIG, Haverford Trust and Printz Capital Management. “As a security and privacy expert, controls should be in place.”

According to Markey, up to 70 percent of all security breaches are a result of insider threats.

Banks need to segregate duties so that only those employees who need to can access sensitive data, he said, and have data leakage and loss prevention technology in place.

“And you can regularly train employees on the ramifications,” he added. “That you will get caught. That you will go to prison.”

Markey also expressed concern about the length of time it took for the loss to be discovered.

“It borders on the criminal that it took three years for this to come to light,” he said. Markey added that the bank should offer credit monitoring services to all those affected.

The issue came to light when the hacker — former HSBC technology employee Herve Falciani.– attempted to sell 3,000 of the stolen names to French authorities, and the authorities turned the data over to HSBC.

The Swiss Bankers Association criticized the French authorities for taking too long to notify HSBC about the theft.

“We strongly condemn any state that induces such criminal behaviour or indeed rewards it financially,” the group said in a statement.

According to Germany’s Der Spiegel newspaper, the HSBC employee also offered to sell the names of 1,300 Germans with Swiss accounts to Germany for 2.5 million euros. This would allow Germany to recover between 100 and 200 million euros in unpaid taxes, German media report. German Finance Minister Wolfgang Schaeuble said he was willing to buy the data, sparking a storm of international outrage.

“I hope the taxing authorities are smart enough to realize that those who live by the sword are likely to die by it,” said Harvey Pitt, former chairman of the U.S. Securities and Exchange Commission, told Securities Industry News.

“I believe government should resoundingly reject purloined data files, and make that objection loudly and unequivocally.” Pitt, now chief executive officer of Washington, D.C.-based consulting firm Kalorama Partners LLC., said. “However tempting it may be to sneak a peek at the purloined data, the most effective way to put a stop to this nonsense is to disincentivize those who might otherwise be tempted to hack into computer systems.”

Pitt said that he gives high marks to HSBC for addressing the problem and apologizing to its customers.

“Those who prey upon computer systems are a menace to modern society,” he said. “Most financial services firms–like HSBC–take elaborate precautions to prevent information theft. But, unfortunately that’s not an assurance that they can be successful. The key thing this incident reflects is that financial services forms have to be continuously and perpetually reviewing and improving their firewalls to shut hackers out of their systems.”

HSBC’s Swiss subsidiary HSBC Private Bank SA admitted today that a former employee stole records on 15,000 clients and passed them to French government authorities and apologized for the breach.

“We deeply regret this situation and unreservedly apologize to our clients for this threat to their privacy,” said the Swiss bank CEO Alexandre Zeller in a statement issued this morning. “We are determined to protect our clients’ interests and are taking every necessary measure to do so, actively contacting all our clients with Swiss-based accounts.”

The theft took place three years ago, the bank said, and is limited to accounts in Switzerland. The data will not allow outsiders access to these bank accounts, the bank said. However, the breach does expose customers to potential prosecution by tax authorities.

“The Swiss authorities confirmed to us that they will not support the use of the stolen data to answer requests from foreign authorities,” HSBC said in a statement. “The French authorities have informed the Swiss authorities that the data they hold will not be used inappropriately.”

The bank has already taken steps to improve security, the bank said, including spending 100 million Swiss francs (US$93 million) on system and security upgrades.

In addition, some media reports say that an additional 9,000 closed accounts were also affected by this breach, bringing the total to 24,000, but the bank has not confirmed this as of deadline.

The bank declined to say directly whether account holders in the U.S. were affected by the data breach.

“The only comment I can make in regards to your inquiry [is that] our private bank in Switzerland has an international client base,” said HSBC spokeswoman Juanita Guitierrez.