HSBC Finance Corporation has begun notifying an undisclosed number of consumers whose mortgage account information was inadvertently exposed on the Internet. The firm believes the exposure began sometime towards the end of 2014 and continued until March 27, 2015, when they learned of the breach.
Security experts from Secure Channels, Lancope and Tripwire have provided comments and insight
Richard Blech, CEO, Secure Channels (www.securechannels.com):
“HSBC’S negligence with personal sensitive data is another symptom of the overall disregard of protecting data. HSBC wasn’t breached but they were lazy, which would have ended up with a breach if they hadn’t released the info themselves. Ironically this would not have been a news story if they had simply encrypted the sensitive data in the first place leaving only unreadable and useless bits and bytes if leaked.”
TK Keanini, CTO of Lancope (www.lancope.com):
“HSBC is a connected business and by that I mean connected to subsidiaries, to partners, and to consumers. Attackers know this and know that they only need to find a single entry point and once in, they can start to operate across this connected business. HSBC is like any other business today, highly connected and digitally dependent. Let us just hope that the right level of telemetry is on the network itself so that the right level of forensics can ensure that everything known about the breach is known for remediation. These threats often leave ‘doors’ to get back in because they know they will be discovered at some point.”
How could a bank not detect a breach for almost three-four months? Because it is not the breach you should be looking for, it is anomalous activity and this is why detection is such a problem these days. The attackers are obtaining credentials to accounts and when operating on your network, the traditional security devices are waiting for security violations to occur and they simply don’t trigger because attackers are operating with stolen authorization.
Networks need to be built of retrofitted with a level of accounting that leaves the attacker no place to hide. This must be done prior to incident and must be made standard. Once in place, state of the art anomaly detection is the countermeasure for this threat.
In this co-evolutionary cycle, the fact that the threat had to go to the third party to find a access vector infers that the local security of HSBC was effective. When the attackers want something, they will continue to innovate their measures until they find a way in even if it means going through some alternative access vector.”
Tim Erlin, security and IT risk strategist, Tripwire (www.tripwire.com):
“This is an example of breach notification laws in action, for both good and bad. We’re finding out about this breach because HSBC has been required to notify residents of New Hampshire who were affected, but the notification laws vary across states and countries so that the extent and impact is obscured.
The notification describes data ‘inadvertently made accessible via the Internet,’ which might simply mean a spreadsheet shared where it shouldn’t have been. It could be that this incident really is contained to 685 residents of New Hampshire, and was the result of simple human error.”