HSBC confirmed that thieves stole card payment data from the bank and they were reissuing 6,000 atm/debit cards to customers affected by the breach. One Consumerist reader, Keith, had $2000 stolen from him via an ATM in Bulgaria, and another, Emily, had $2,800 siphoned from her account from ATMs located clear across the country. (Emily also got interviewed on WCBS and we got a mention and a screenshot). Checking the comments section, it looks like 11 other Consumerist readers were affected by the HSBC fraud as well, with a number of the fraudulent withdrawals being made from Montreal and Canada. Sounds like the thieves stole the data, which contained both card numbers and PIN codes, and then cloned ATM/debit cards. If you’re an HSBC customer, might be a good time to change your PIN number.
More From Consumerist
-
HSBC Really Wants Your Cellphone Number To Alert You To Suspicious Activity (Oh, And Also To Make Collections Calls)
-
HSBC Confuses, Angers Online Customers With Vague New Fees
-
Georgia Counties Sue HSBC, Say Bank’s Prejudiced Loans Cost Them Millions
-
Survey Says: We Apparently Can Get Some Satisfaction From Credit Cards
-
Worst Company In America Round 1: Bank Of America Vs. Capital One
Whoops!
If you’re an HSBC customer, be sure to check your balance daily and immediately report any suspicious withdrawals.
I’d change that recommendation to “If you’re an HSBC customer, be sure to change your PIN right now to prevent unauthorized use of your card, rather than just sitting back and waiting for it.
Time to take it seriously!
OMG! My friend had $1,000 stolen from her HSBC account this Monday night and Tuesday morning. When she called the bank, they nonchalantly told her she was on the list of customers to contact regarding the recent theft in customer information
I am curious to know exactly HOW this data was stolen.
@forgottenpassword: Insecure firewall.
@Mina_da_mad_child: wtf. “Yeah, we meant to tell you about that…”
Sheesh.
@B: kinda funny when your talking about a company that requires you to use a on screen keyboard as a secondary input to prevent keylogging.
@forgottenpassword: Someone probably left their laptop at a starbucks coffee shop….
@shadow735: Were that the case, I’d still blame HSBC because 1) Employees shouldn’t be able to store customer data on laptop (or desktop) drives, and 2) laptop drives should be encrypted.
@B: I’d second that number 1 and add that employees should not be able to take the laptops out of the building.
@B: I was guestimating (I know its not a word) because we all know how big companies make such stupid mistakes, actually I just thought the info could have just been downloaded if they were using wifi or a wireless router.
When you are dealing with big companies the sophisticated theives are going to be on the prowl.
Probably someone at their over seas offices sold the data for 5 bucks
4 more victims on New York Magazine’s blog:
[nymag.com]
Plus Emily (my fiancee) knows two other victims .
Also, Emily & I were at dinner last night in the neighborhood abd actually overheard someone talking about being a HSBC victim at the next table.
This thing is probably fairly widespread and kudos to HSBC for somehow keeping this from becoming a big news story/
For those of you in NYC, we will have the story on the WNBC 4 7PM News w/Chuck Scarborough tonight.
@UpsetPanda: Usually laptops that are allowed to leave a facility use a VPN to connect back to the company/bank/agency etc. That way there is very little if anything actually ON the laptop.
This wasn’t a data breach at a retailer, or a card processor or data collector like the TJMaxx breach. This was THE FREAKING BANK.
Yes, but the real question is:
Is HSBC “taking this very seriously”?
Montreal AND Canada. You have to watch those two distinctly different places, they’re sneaky.
@bohemian: Unless of course that person opened the file over the VPN locally. Unless the Hard drive is encyrpted as well or they were running everything VNCed to a machine inside the firewall theres a good chance of the data being on the laptop. VPN really only protects the transfer of data to and from the laptop.
I don’t know about anybody else but if this happened to me (actually, even if it DIDN’T happen to me) and I read the story below this one about HSBC being the most identity theft-prone, I’d be switching banks. There’s no reason to continue doing business with a company that’s obviously incompetent.
Simultaneously, deep within the credit processing bureau at HSBC:
“click click click… beep…uh oh, spageddios!”
@bohemian: The VPN works great, until someone gets tired of entering their password, so they tell their VPN clients to save the password.
HSBC told my friend someone in Russia was making purchases with her ATM card
@QuantumRiff: No VPN client worth its salt lets you save a password.
The odd thing is that HSBC is a great bank if you’re not in America. I can’t figure out why their operations here is so sloppy and horrible.
@forgottenpassword: My guess would be that someone installed a card skimmer on an ATM, along with a camera to capture PIN entry. This way you get all the magnetic stripe data AND the PIN.
@zerj: Yeah. I worked in IT for a financial advisory firm, and people would store client data on laptops all the time. They’d have to VPN in to access the account maintenance and client relationship management systems, but stuff like mailing lists, client portfolios and hypotheticals, etc. was fair game. And the only protection was a domain password, easily overridden by downloadable boot CDs.
@DMDDallas: If only Cisco would realize that.
I don’t understand how this can happen. Can’t they trace these fraudulant transactions somehow? How DO people get away with this kind of theft?
So I was one of the victims who posted previously. I was really happy to see Emily on the news yesterday! But unfortunately HSBC is still not taking this seriously at all. I have now called my assigned ‘investigator’ as well as her supervisor 12 times (at various times of the day for the past 2 days) and left 4 messages and I have still never been able to speak to them. They never called me back and never answer their phones. I’m only able to get through to the call center but they said they can only give information but not help me in any way. Today I just got charged an additional $140 in overdraft charges because of the fraud even though I am no longer overdrawn, the fraud happened over the week-end, and this is their fault. Unbelievable…
@GenXCub: I had to chuckle at that one. Montreal IS kind of a different world though. Even more so in Quebec.
For those referencing disk encryption new research has shown that it is not as secure as once believed.
[www.news.com]
Computer scientists have discovered a novel way to bypass the encryption used in programs like Microsoft’s BitLocker and Apple’s FileVault and then view the contents of supposedly secure files.
@disavow: The difference is perhaps one of implementation. We use Cisco VPN but there’s no option to save a user password (though there’s a greyed-out option to clear it, so perhaps it’s disabled in the registry) and in any even we use a 2-factor auth (RSA SecurID fob with a number that changes every minute) so anything you saved would only be valid for a minute.
Sounds like your employer is not taking advantage of the full feature set of Cisco’s VPN. It’s not really a secure VPN without some sort of 2-factor authentication.
Way to go HSBC! You guys are indeed the world’s local bank.
I’m happy to know that someone in Russia, Bulgaria and Saudi Arabia aren’t sharing my account as we speak!
@Barbarisater: Just wanted to say awesome s/n! Are you an Abnett fan too?
Vivi, if you can get an email address for them, see if they will respond that way. I was able to get in touch w/ my rep thru email- and she actually suggested it because she knew she wouldn’t be able to get to the phone. Unfortunately, the email addresses go firstname.middleinitial.lastname@us.hsbc.com, so you might not be able to guess at the address with just the first & last name. Might be worth a shot to try it though.
Just keep at them- dial random extensions to get anyone on the phone that you can. INSIST that you speak to someone in the fraud department with relevant knowledge and keep threatening to sue if they sound like they’re going to hang up on you. Worked for me!
You should definitely not be responsible for overdraft fees. My account was negative $1925 or something like that at one point and I was not assessed overdraft fees. It is odd, but not surprising that even this is not consistent.
I also would advise that you withdraw the majority of your money once you get the provisional credit. Close your original account and leave a nominal amount in a NEW account (make sure it is a free checking account). If they end up fighting you on the amount- at least fight over a negative balance than having your actual money tied up!
What is scary to me is that this is STILL happening- someone posted about this happening on Monday/Tuesday of this week. How is this still happening when HSBC has known since LAST WEEK that there is a breach??
As Corey mentioned, another story about this will be on NBC 4 (NYC) tonight at 7.
Good luck!!
Fortunately I don’t bank with HSBC so I don’t have to change my Personal Identification Number number. I suppose they use those to access the ATM machines, huh?
I just CANCELLED my HSBC credit card today (before I saw this news) because of my fraudulent charge with Best Buy that I’ve been trying to resolve for six months to no avail. I told them the reason I’m canceling is because of the terrible customer service trying to resolve this issue.
They offered me a lower credit card rate.
“No, I want a full refund of the $100 fraudulent charge, which I have proof is fraudulent. I was vacationing in Canada at the time and have charges the same day in Canada and LA. Furthermore, their initial response 6 months ago was: Best Buy says that there was a physical card transaction with a valid signature, and here is a copy of that receipt.
Um…I was only issued one physical credit card, which I had on my person in Canada, and the signature on the receipt for soft porn in Los Angeles is a name that looks nothing like my signature.
Anyhow, after putting me on hold for ten minutes, they returned with the following counter-offer.
“Sorry, since the vendor believes the charge was valid, they did not reverse the charge. We would be happy to refund you half the money if you do not cancel your business with us. However, if you do cancel your business, you will not receive any money from us.”
“Well then, please cancel my card. I would rather pay the $100 than to continue fighting this fraudulent card. I have better things to do with my life.”
I wanted to also rant and rave to them how that I do know that HSBC is the financial backer behind Best Buy’s own credit card company, and how they are terrible supporting fraudulent practices rather than listening to a ten year customer. But like I said, I have better things to do than fight windmills for $100. And besides, the writing is already on the walls that both Best Buy and HSBC are horrible corporations and will soon die horrible deaths.
I have a potentially dumb question: is this only for the branch type banks? I have a store credit card that’s handled by HSBC, so of course there’s no real PIN or ATM access, etc. Just wondering if I should be worried.
Are people with HSBC-Direct online savings accounts at risk? I think they are issued ATM cards.
I just called HSBC-Direct Online Savings department at 800-975-4722. I was told that only Mastercard Debit cards were at risk. Non-branded HSBC-Direct ATM cards are not.
@disavow: I use the cisco client for work and it doesn’t let you save the password. Odd.
@AT203: I have an HSBC savings account and declined their offer of an ATM card. Everyone should do the same — it’s a savings account, not a checking account. I’ve found that giving myself easy access to my savings causes me to spend said savings.
@DMDDallas: Sounds like GearheadGeek is probably right that it’s a configurable setting, then. Which means that firm’s security is even worse than I thought. Wonder how long it’ll be before we see their (sekrit) name next to “customer data was stolen” on here. =P
Notice at the end HSBC says they are liable for 0% (as in “not our fault, no way no how, and you can’t prove nuthin’”). Legally what is their liability? If they lost account data? How does it change if their customer service center didn’t act when first notified?
@Vivi777: Um, (I know I’m treading on touchy ground here), you do realize investigators have hundreds of accounts they’re responsible for at any one time?
Your experience sounds awful. I’m not trying to belittle it in any way. But it might be helpful to know that “your” assigned investigator can’t provide minute-by-minute feedback to hundreds of people, every day, AND complete their backend duties of adjusting accounts, compiling evidence, actually investigating the fraud, speaking with police/merchants/other banks, and so forth. Threatening to sue won’t change that… it’s just not part of the job function for them. If they need your help, they will call, and if they can help you, they will contact you.
Should there be better communication in place? Of course! But it won’t happen any time soon. Too few employees, too much fraud.
But they will sort it out. I hope, for your sake, immediately.
@emilyf: Thank you for the advice Emily! I will try to get an e-mail address. And thank you for helping me and the other people affected by this sort through the HSBC “customer service” maze.
@Mrs. Basil E. Frankweiler: I might not have been clear in my post but it was already determined (on Monday) that there was a fraud in my case. There is no investigation still needed to be done. The reason why you need to get in touch with your assigned investigator is because they are the only ones that can approve refunding the stolen amount before the HSBC default of ten business days. I’m sure they are getting a lot of requests like that but it is certainly not my problem and I don’t think the fact that they have hundreds of calls gives them the right to ignore their clients. Especially since they never notified anyone of the breach and continue to avoid taking any responsibility. If they had refunded everyone’s money as soon as they determined it was fraud (and not actually keep charging them overdraft fees) I don’t think anyone would have ever even posted on here.
This happened to me in 2006. About US$5000 was taken. HSBC won’t reveal how it happened. (I have a Hong Kong-issued ATM card but the cash was stolen from New York, USA (so let’s not blame only Eastern Europeans). HSBC restored the amount, including interest, provided I signed a form saying the bank was not at fault. Interestingly, the thieves managed to withdraw up to US$1000 per transaction, something I’ve never been able to do. Very fishy.
I am joining a credit union today, and will be closing my accounts with HSBC just as soon as I can.
Between this and having to pay HSBC to take my money (they want $15 to process a credit card payment by phone), I’ve had enough.
@Vivi777: That’s helpful to know – thanks!
I had no idea that HSBC was involved with a widespread fraud problem until I looked at my checking account balance today. There were approximately $3000 worth of ATM withdrawals in Fuengirola, Spain on 2/29 and 3/1. I sent more details to the editor.
@Vivi777: your a big baby start saving money for a rainy day instead of depressing me with your sad story. I am sorry that you have no credit cards to use and no one who loves you enough to loan you money. Sad that youthink your the only person with bthis fraud and that you wait sadly by your phone for a call