HSBC Turkey Confirms Card Breach2.7 Million Customers Affected by Cyber-Attack
HSBC Turkey confirms that a recent cyber-attack exposed payment card information for 2.7 million customers.
The bank is a subsidiary of London-based HSBC Group, which has operations worldwide in 74 countries and territories.
Information compromised in the breach includes debit and credit cardholder names, account numbers and expiration dates. The bank says that, so far, it has not seen any evidence of fraud or other suspicious activity arising from the incident.
HSBC Turkey detected the attack in the past week through its internal security controls, according to an FAQ. The attack was limited to Turkey, and all card operations have been restored to normal functioning, the bank says. No other details about the nature of the incident were revealed.
An investigation is under way in collaboration with the Banking Regulation and Supervision Agency of Turkey and other relevant authorities, HSBC Turkey says. Turkey's Public Prosecutor's Office has also been notified about the incident.
Remediation and customer care stand out as the true litmus tests for how companies are perceived after a data breach, says John Buzzard, manager for products and fraud operations at FICO Card Alert Service. "Consumers want to see a unified, transparent message stream, and I think HSBC delivered," he says.
But a true review of the bank's notification practices will come when better insight into the nature of the breach is revealed, says Tom Wills, director of Ontrack Advisory, a consulting firm focused on payments innovation. "If it was an advanced persistent threat and they managed to detect it early, that would speak well of their detection and response capability," he says. "But it's too early to really say."
"The HSBC Group takes the security of its customers' information extremely seriously and constantly reviews systems and security," the institution says. "We are leveraging the strength of HSBC's global network and security expertise to take swift and decisive action."
As a result of the breach, the bank says it has implemented enhanced security measures to improve the security of its information systems and card transactions.
The HSBC Turkey breach comes just a few weeks after JPMorgan Chase confirmed that personal information about 76 million households and 7 million small businesses had been breached in a sophisticated cyber-attack (see: Chase Breach Offers Detection Lessons). Information compromised in that attack included customers' contact information, including names, addresses, phone numbers and e-mail addresses.
Banks still have some of the most secure systems, Wills says. "But threats have evolved, in both complexity and volume, to the point that it's not feasible to expect 100 percent prevention of breaches. For that reason, the information security industry is moving to more of a detection and response paradigm. Prevention is still critical ... [it's] just no longer enough."