HSBC Turkey has confessed to a security breach exposing the details of 2.7m credit card accounts but the bank has made a decision not to reissue cards after deciding that the data exposed is not enough to make fraudulent transactions.
The compromise – limited to the international bank's business in Turkey – exposed credit card numbers, expiration dates, names, and the associated HSBC account number.
The breach was detected internally and has not been linked to any fraudulent transactions, as a notice (PDF, English language) by HSBC Turkey explains. The bank said it "identified the attack in the past week through our internal controls".
Often serious security breaches are only caught by third parties or government agencies rather than the victim itself. Trey Ford, global security strategist at Rapid7, the developers of Metasploit, credited HSBC Turkey for spotting the breach quickly.
"A couple of things stand out – the attack happened last week, and they’ve caught it already, and they caught it themselves," Ford said. "This is impressive given that the vast majority of breaches are detected by third parties, and often not for months."
HSBC Turkey has notified the Banking Regulation and Supervision Agency of Turkey and other relevant authorities about the breach. An investigation aimed at identifying the perps behind the hack has begun. In the meantime banking customers should continue to use their account as normal, HSBC Turkey advises.
The bank said it is "not possible to print cards and withdraw money from ATMs with the compromised information" and likewise "not possible to make any transactions through internet banking or telephone banking with the compromised information".
"Our customers can continue to use internet banking and telephone banking confidently," it added.
Ford said this response was reasonable in the circumstances.
"HSBC is underscoring that cards will not be re-issued at this time, and that the compromised data will not impact Internet Banking, ATM transactions, and telephone banking services; customers can continue using their cards with confidence. This is because 'card present' transactions require additional information that would be encoded on the magnetic strip, and for 'card not present' transactions, the card security code (CVC or CVV2) would be required to transact business.”
Although cybercrooks may be missing pieces of information needed to carry out fraud, there's a very real possibility that they might attempt to hoodwink prospective marks into handing over this information through phishing scams or similar trickery. Extra vigilance would be prudent and we'd be inclined to support HSBC Turkey customers who went further and requested a reissued card. ®