HSBC Confirms Customer Card Data Was Stolen

HSBC confirmed that thieves stole card payment data from the bank and they were reissuing 6,000 atm/debit cards to customers affected by the breach. One Consumerist reader, Keith, had $2000 stolen from him via an ATM in Bulgaria, and another, Emily, had $2,800 siphoned from her account from ATMs located clear across the country. (Emily also got interviewed on WCBS and we got a mention and a screenshot). Checking the comments section, it looks like 11 other Consumerist readers were affected by the HSBC fraud as well, with a number of the fraudulent withdrawals being made from Montreal and Canada. Sounds like the thieves stole the data, which contained both card numbers and PIN codes, and then cloned ATM/debit cards. If you’re an HSBC customer, might be a good time to change your PIN number.

Comments

Edit Your Comment

  1. sp00nix says:

    Whoops!

  2. wickedpixel says:

    If you’re an HSBC customer, be sure to check your balance daily and immediately report any suspicious withdrawals.

    I’d change that recommendation to “If you’re an HSBC customer, be sure to change your PIN right now to prevent unauthorized use of your card, rather than just sitting back and waiting for it.

  3. SaveMeJeebus says:

    Time to take it seriously!

  4. Mina_da_mad_child says:

    OMG! My friend had $1,000 stolen from her HSBC account this Monday night and Tuesday morning. When she called the bank, they nonchalantly told her she was on the list of customers to contact regarding the recent theft in customer information

  5. forgottenpassword says:

    I am curious to know exactly HOW this data was stolen.

  6. B says:

    @forgottenpassword: Insecure firewall.

  7. evslin says:

    @Mina_da_mad_child: wtf. “Yeah, we meant to tell you about that…”

    Sheesh.

  8. Falconfire says:

    @B: kinda funny when your talking about a company that requires you to use a on screen keyboard as a secondary input to prevent keylogging.

  9. shadow735 says:

    @forgottenpassword: Someone probably left their laptop at a starbucks coffee shop….

  10. B says:

    @shadow735: Were that the case, I’d still blame HSBC because 1) Employees shouldn’t be able to store customer data on laptop (or desktop) drives, and 2) laptop drives should be encrypted.

  11. UpsetPanda says:

    @B: I’d second that number 1 and add that employees should not be able to take the laptops out of the building.

  12. shadow735 says:

    @B: I was guestimating (I know its not a word) because we all know how big companies make such stupid mistakes, actually I just thought the info could have just been downloaded if they were using wifi or a wireless router.
    When you are dealing with big companies the sophisticated theives are going to be on the prowl.

  13. viqas says:

    Probably someone at their over seas offices sold the data for 5 bucks

  14. coreyk72 says:

    4 more victims on New York Magazine’s blog:
    [nymag.com]

    Plus Emily (my fiancee) knows two other victims .

    Also, Emily & I were at dinner last night in the neighborhood abd actually overheard someone talking about being a HSBC victim at the next table.

    This thing is probably fairly widespread and kudos to HSBC for somehow keeping this from becoming a big news story/

    For those of you in NYC, we will have the story on the WNBC 4 7PM News w/Chuck Scarborough tonight.

  15. bohemian says:

    @UpsetPanda: Usually laptops that are allowed to leave a facility use a VPN to connect back to the company/bank/agency etc. That way there is very little if anything actually ON the laptop.

    This wasn’t a data breach at a retailer, or a card processor or data collector like the TJMaxx breach. This was THE FREAKING BANK.

  16. ancientsociety says:

    Yes, but the real question is:

    Is HSBC “taking this very seriously”?

  17. GenXCub says:

    Montreal AND Canada. You have to watch those two distinctly different places, they’re sneaky.

  18. zerj says:

    @bohemian: Unless of course that person opened the file over the VPN locally. Unless the Hard drive is encyrpted as well or they were running everything VNCed to a machine inside the firewall theres a good chance of the data being on the laptop. VPN really only protects the transfer of data to and from the laptop.

  19. mopar_man says:

    I don’t know about anybody else but if this happened to me (actually, even if it DIDN’T happen to me) and I read the story below this one about HSBC being the most identity theft-prone, I’d be switching banks. There’s no reason to continue doing business with a company that’s obviously incompetent.

  20. moore850 says:

    Simultaneously, deep within the credit processing bureau at HSBC:

    “click click click… beep…uh oh, spageddios!”

  21. QuantumRiff says:

    @bohemian: The VPN works great, until someone gets tired of entering their password, so they tell their VPN clients to save the password.

  22. Mina_da_mad_child says:

    HSBC told my friend someone in Russia was making purchases with her ATM card

  23. DMDDallas says:

    @QuantumRiff: No VPN client worth its salt lets you save a password.

  24. satoru says:

    The odd thing is that HSBC is a great bank if you’re not in America. I can’t figure out why their operations here is so sloppy and horrible.

  25. clevershark says:

    @forgottenpassword: My guess would be that someone installed a card skimmer on an ATM, along with a camera to capture PIN entry. This way you get all the magnetic stripe data AND the PIN.

  26. disavow says:

    @zerj: Yeah. I worked in IT for a financial advisory firm, and people would store client data on laptops all the time. They’d have to VPN in to access the account maintenance and client relationship management systems, but stuff like mailing lists, client portfolios and hypotheticals, etc. was fair game. And the only protection was a domain password, easily overridden by downloadable boot CDs.

    @DMDDallas: If only Cisco would realize that.

  27. Pro-Pain says:

    I don’t understand how this can happen. Can’t they trace these fraudulant transactions somehow? How DO people get away with this kind of theft?

  28. Vivi777 says:

    So I was one of the victims who posted previously. I was really happy to see Emily on the news yesterday! But unfortunately HSBC is still not taking this seriously at all. I have now called my assigned ‘investigator’ as well as her supervisor 12 times (at various times of the day for the past 2 days) and left 4 messages and I have still never been able to speak to them. They never called me back and never answer their phones. I’m only able to get through to the call center but they said they can only give information but not help me in any way. Today I just got charged an additional $140 in overdraft charges because of the fraud even though I am no longer overdrawn, the fraud happened over the week-end, and this is their fault. Unbelievable…

  29. MPHinPgh says:

    @GenXCub: I had to chuckle at that one. Montreal IS kind of a different world though. Even more so in Quebec.

  30. Barbarisater says:

    For those referencing disk encryption new research has shown that it is not as secure as once believed.

    [www.news.com]

    Computer scientists have discovered a novel way to bypass the encryption used in programs like Microsoft’s BitLocker and Apple’s FileVault and then view the contents of supposedly secure files.

  31. GearheadGeek says:

    @disavow: The difference is perhaps one of implementation. We use Cisco VPN but there’s no option to save a user password (though there’s a greyed-out option to clear it, so perhaps it’s disabled in the registry) and in any even we use a 2-factor auth (RSA SecurID fob with a number that changes every minute) so anything you saved would only be valid for a minute.

    Sounds like your employer is not taking advantage of the full feature set of Cisco’s VPN. It’s not really a secure VPN without some sort of 2-factor authentication.

  32. azntg says:

    Way to go HSBC! You guys are indeed the world’s local bank.

    I’m happy to know that someone in Russia, Bulgaria and Saudi Arabia aren’t sharing my account as we speak!

  33. ancientsociety says:

    @Barbarisater: Just wanted to say awesome s/n! Are you an Abnett fan too?

  34. emilyf says:

    Vivi, if you can get an email address for them, see if they will respond that way. I was able to get in touch w/ my rep thru email- and she actually suggested it because she knew she wouldn’t be able to get to the phone. Unfortunately, the email addresses go firstname.middleinitial.lastname@us.hsbc.com, so you might not be able to guess at the address with just the first & last name. Might be worth a shot to try it though.

    Just keep at them- dial random extensions to get anyone on the phone that you can. INSIST that you speak to someone in the fraud department with relevant knowledge and keep threatening to sue if they sound like they’re going to hang up on you. Worked for me!

    You should definitely not be responsible for overdraft fees. My account was negative $1925 or something like that at one point and I was not assessed overdraft fees. It is odd, but not surprising that even this is not consistent.

    I also would advise that you withdraw the majority of your money once you get the provisional credit. Close your original account and leave a nominal amount in a NEW account (make sure it is a free checking account). If they end up fighting you on the amount- at least fight over a negative balance than having your actual money tied up!

    What is scary to me is that this is STILL happening- someone posted about this happening on Monday/Tuesday of this week. How is this still happening when HSBC has known since LAST WEEK that there is a breach??

    As Corey mentioned, another story about this will be on NBC 4 (NYC) tonight at 7.

    Good luck!!

  35. Charybdis says:

    Fortunately I don’t bank with HSBC so I don’t have to change my Personal Identification Number number. I suppose they use those to access the ATM machines, huh?

  36. paperson says:

    I just CANCELLED my HSBC credit card today (before I saw this news) because of my fraudulent charge with Best Buy that I’ve been trying to resolve for six months to no avail. I told them the reason I’m canceling is because of the terrible customer service trying to resolve this issue.

    They offered me a lower credit card rate.

    “No, I want a full refund of the $100 fraudulent charge, which I have proof is fraudulent. I was vacationing in Canada at the time and have charges the same day in Canada and LA. Furthermore, their initial response 6 months ago was: Best Buy says that there was a physical card transaction with a valid signature, and here is a copy of that receipt.

    Um…I was only issued one physical credit card, which I had on my person in Canada, and the signature on the receipt for soft porn in Los Angeles is a name that looks nothing like my signature.

    Anyhow, after putting me on hold for ten minutes, they returned with the following counter-offer.

    “Sorry, since the vendor believes the charge was valid, they did not reverse the charge. We would be happy to refund you half the money if you do not cancel your business with us. However, if you do cancel your business, you will not receive any money from us.”

    “Well then, please cancel my card. I would rather pay the $100 than to continue fighting this fraudulent card. I have better things to do with my life.”

    I wanted to also rant and rave to them how that I do know that HSBC is the financial backer behind Best Buy’s own credit card company, and how they are terrible supporting fraudulent practices rather than listening to a ten year customer. But like I said, I have better things to do than fight windmills for $100. And besides, the writing is already on the walls that both Best Buy and HSBC are horrible corporations and will soon die horrible deaths.

  37. Skunky says:

    I have a potentially dumb question: is this only for the branch type banks? I have a store credit card that’s handled by HSBC, so of course there’s no real PIN or ATM access, etc. Just wondering if I should be worried.

  38. AT203 says:

    Are people with HSBC-Direct online savings accounts at risk? I think they are issued ATM cards.

  39. AT203 says:

    I just called HSBC-Direct Online Savings department at 800-975-4722. I was told that only Mastercard Debit cards were at risk. Non-branded HSBC-Direct ATM cards are not.

  40. DMDDallas says:

    @disavow: I use the cisco client for work and it doesn’t let you save the password. Odd.

  41. howie_in_az says:

    @AT203: I have an HSBC savings account and declined their offer of an ATM card. Everyone should do the same — it’s a savings account, not a checking account. I’ve found that giving myself easy access to my savings causes me to spend said savings.

  42. disavow says:

    @DMDDallas: Sounds like GearheadGeek is probably right that it’s a configurable setting, then. Which means that firm’s security is even worse than I thought. Wonder how long it’ll be before we see their (sekrit) name next to “customer data was stolen” on here. =P

  43. BlackestRose says:

    Notice at the end HSBC says they are liable for 0% (as in “not our fault, no way no how, and you can’t prove nuthin’”). Legally what is their liability? If they lost account data? How does it change if their customer service center didn’t act when first notified?

  44. sventurata says:

    @Vivi777: Um, (I know I’m treading on touchy ground here), you do realize investigators have hundreds of accounts they’re responsible for at any one time?

    Your experience sounds awful. I’m not trying to belittle it in any way. But it might be helpful to know that “your” assigned investigator can’t provide minute-by-minute feedback to hundreds of people, every day, AND complete their backend duties of adjusting accounts, compiling evidence, actually investigating the fraud, speaking with police/merchants/other banks, and so forth. Threatening to sue won’t change that… it’s just not part of the job function for them. If they need your help, they will call, and if they can help you, they will contact you.

    Should there be better communication in place? Of course! But it won’t happen any time soon. Too few employees, too much fraud.

    But they will sort it out. I hope, for your sake, immediately.

  45. Vivi777 says:

    @emilyf: Thank you for the advice Emily! I will try to get an e-mail address. And thank you for helping me and the other people affected by this sort through the HSBC “customer service” maze.
    @Mrs. Basil E. Frankweiler: I might not have been clear in my post but it was already determined (on Monday) that there was a fraud in my case. There is no investigation still needed to be done. The reason why you need to get in touch with your assigned investigator is because they are the only ones that can approve refunding the stolen amount before the HSBC default of ten business days. I’m sure they are getting a lot of requests like that but it is certainly not my problem and I don’t think the fact that they have hundreds of calls gives them the right to ignore their clients. Especially since they never notified anyone of the breach and continue to avoid taking any responsibility. If they had refunded everyone’s money as soon as they determined it was fraud (and not actually keep charging them overdraft fees) I don’t think anyone would have ever even posted on here.

  46. grusl says:

    This happened to me in 2006. About US$5000 was taken. HSBC won’t reveal how it happened. (I have a Hong Kong-issued ATM card but the cash was stolen from New York, USA (so let’s not blame only Eastern Europeans). HSBC restored the amount, including interest, provided I signed a form saying the bank was not at fault. Interestingly, the thieves managed to withdraw up to US$1000 per transaction, something I’ve never been able to do. Very fishy.

  47. kc2idf says:

    I am joining a credit union today, and will be closing my accounts with HSBC just as soon as I can.

    Between this and having to pay HSBC to take my money (they want $15 to process a credit card payment by phone), I’ve had enough.

  48. sventurata says:

    @Vivi777: That’s helpful to know – thanks!

  49. garmento says:

    I had no idea that HSBC was involved with a widespread fraud problem until I looked at my checking account balance today. There were approximately $3000 worth of ATM withdrawals in Fuengirola, Spain on 2/29 and 3/1. I sent more details to the editor.

  50. freedom69 says:

    @Vivi777: your a big baby start saving money for a rainy day instead of depressing me with your sad story. I am sorry that you have no credit cards to use and no one who loves you enough to loan you money. Sad that youthink your the only person with bthis fraud and that you wait sadly by your phone for a call

  51. freedom69 says:

    @emilyf: You cant sue. Read your cardholder agreement or have a lawyer read it to you and then explain to you that the card is HSBC property. If you want flip the card and read it yourself.

  52. freedom69 says:

    @Pro-Pain: Well since this is 2008..uhhh I believe the word fraud is fairly common in my books & as far as tracing, well they obviously know the locations…but they dont have Professor X type abilities to telegraph who these perps are and if you watched Minority Report I think we are farrrrrrr from having technology to stop crimes before they happen

  53. Vivi777 says:

    @freedom69: Please learn the difference between ‘your’ and ‘you’re’ and then get back to me. I’d feel a lot better getting life advice from someone who can spell.

  54. TKGreen says:

    I have to admit and I’m also a victim of this HSBC fraud. I had over $2000 taken from my account. All transactions were done in Montreal, Canada. I now have to wait a whopping 10 days to get my money back and since I called to complain the 3rd time in a row, they are now putting a rush on getting my money back. The big kicker to this was when I went to a HSBC branch yesterday, they knew nothing about this issue and couldn’t help me at all. The security person I spoke to last, said the branches no nothing and to not even bother with them.

  55. freedom69 says:

    @Vivi777: well i guess since you have nothing better to do then bitch about the money you lost perhaps you can come and count all the money i did not loose, and maybe you should try checking your account now just in case someone attempts identity theft on you. oh … never mind you need money for that and credit.so do not worry no one wants to be you

  56. freedom69 says:

    @TKGreen: well thats might be true have you spoken to them on how this could havr happened to your account.

  57. freedom69 says:

    @BlackestRose: none according to the news they were not the ones that lost your data. However they are the one giving you back our money. So although not their fault they are indeed making the situation right.

  58. Vivi777 says:

    @freedom69: Well I see you still haven’t learned how to spell. Actually, your grammar is so poor as well, I couldn’t even make out what you were trying to say.
    To everyone else – after much frustration, I was finally refunded my money. I will promptly be moving my three accounts to another bank.

  59. freedom69 says:

    @Vivi777: Good for you. perphaps you should have used those other accounts to sustain your lifesyle. Make sure that you look at your card holder agreement and read the fine print so that the next bank you deal with does not have to listen to you complain.

  60. Fion says:

    It’s still happening on me now in Sydney Australia! Jeez…
    My atm account has been siphoned more than AU$4000 from a German ATM while i am with my atm card with me all along in sydney within 4 days. I phoned HSBC and the operator obviously know this is not a unique case and could not help me further except for reissuing a new atm card and asking me to fill up the dispute form. What a nightmare!