Hand coming out of a monitor and stealing money

HSBC sent a letter to an unknown number of U.S. customers of the bank on November 2, notifying them that their personal information may have compromised in a data breach. The letter said that online accounts had been accessed by unauthorized users between October 4, 2018 and October 14, 2018.

The letter warned that information breached may include, “full name, mailing address, phone number, email address, date of birth, account numbers, account types, account balances, transaction history, payee account information, and statement history where available.”

Another way of saying what may have been compromised: “Everything but your Social Security number.” But that’s not fair. Credit card numbers aren’t on the list either.

HSBC hasn’t released the number of potentially affected customers to whom they’ve sent the notification, so it’s difficult to accurately gauge the size of the breach, but the amount and types of personal information should come as a matter of extreme concern for customers.

The UK-based bank is providing identity theft protection to affected customers, but claims to have detected no signs of fraud. While the investigation is ongoing, UK computer security professor Alan Woodward has stated that it is likely a case of credential stuffing, where user login information compromised in breaches of other services is used to hack other accounts.

While the impact of the breach still remains to be seen, many of the standard preventative measures bank customers can take still apply: don’t re-use passwords, check haveibeenpwned.com to see if any active passwords have been leaked, use 2-Factor authentication with your accounts, and freeze your credit.

Read more about the story here.