HSBC Finance in the US is notifying customers that it has inadvertently been publishing their mortgage data online since last year.
HSBC is believed to have exposed customer names, account numbers, social security numbers, and telephone details, in a move which isn't being attributed to hackers, and as such is almost definitely a corporate cock-up.
The leak, discovered on 27 March, is believed to have begun towards the end of last year. A number of subsidiary firms have also been affected, and the damage outside of New Hampshire is expected to be substantial.
Confirmation only arrives through a letter received by the New Hampshire Attorney General's Office, informing them of the breach. Mandatory disclosure is a legal obligation in the state of New Hampshire, where 685 residents are believed to be caught by the leak.
"We are conducting a thorough review of the potentially affected records and have implemented additional security measures designed to prevent a recurrence of such an incident," the bank writes.
The Register has received some vendor comments regarding the breach.
Troy Gill, Manager of Security Research at Appriver, said:
"With so many of the banks subsidiaries being named, the number of those affected will likely be quite substantial."
"Since HSBC does not appear to be claiming that it suffered a breach by hackers it seems that it may have inadvertently stored the data in a manner that made it accessible on the internet."
"In this case it is the data could have potentially been compromised by countless groups/individuals to be used for nefarious purposes. With personal information including social security numbers being involved, this could have a severe impact for their account holders."
Tim Erlin, a Director of Security and Risk at Tripwire, noted that:
"This is an example of breach notification laws in action, for both good and bad. We’re finding out about this breach because HSBC has been required to notify residents of New Hampshire who were affected, but the notification laws vary across states and countries so that the extent and impact is obscured."
"The notification describes data ‘inadvertently made accessible via the internet', which might simply mean a spreadsheet shared where it shouldn’t have been.
"It could be that this incident really is contained to 685 residents of New Hampshire, and was the result of simple human error."
Amichai Shulman, CTO at Imperva, stated that:
"The issue at hand is that customer files (or a single file containing data for multiple customers) was mistakenly transferred to a web server available on the web.
"That file (or those files) where indexed by Google (or some other search engine) and thus became available to everyone. My guess is that it became aware of it through someone who did some Google snooping and incidentally bumped into this file."
HSBC add that it has now closed the stable door: "We have ensured that the information is no longer accessible publicly. The company has notified law enforcement and the credit reporting agencies of the incident."
An HSBC Finance spokesman added that the matter only affects some mortgage customers of HSBC Finance Corp in the US. ®