HSBC's customer data loss opens door for social engineering attacks

Yet another unencrypted CD goes missing, this time it's HSBC bank that has lost 370,000 customer records.

HSBC has revealed that it lost a disk containing details of 370,000 customers four weeks ago. The disk in question was posted via Royal Mail from its life insurance offices in Southampton but failed to arrive at a reinsurance office in Folkestone.

The bank said the disk held only name, date of birth and level of insurance coverage for each customer, but no addresses or bank details, and that there was a low likelihood of the information being used for fraudulent purposes.

All affected customers are being informed of the data loss.

Information would normally have been sent via a secure connection, the bank said, but on this occasion the link was not working and so a decision was taken to copy the customer data onto a disk. The information was not encrypted but the bank said the disk was password-protected.

"My biggest concern is that the file was probably just protected with a Microsoft Office password," said Ken Munro, managing director of Securetest, a penetration testing company. "Local cracking of Office passwords is not difficult. Unless the password was eight or more characters in length, it's not going to take long to crack. Pre-computed Office password hash tables already exist, which may reduce the cracking time to as little as five minutes.

"Quite why the file wasn't simply encrypted using one of the freeware encryption tools, I don't know. Even WinZip does reasonably strong file protection."

Munro agreed that most of the lost information is readily available through online sources, and so not especially important, but he raised some areas for concern.

"The information could facilitate social engineering attacks against these customers," he said. "Using this knowledge, it wouldn't take long to extract far more information out of the individuals. If you received a call from your bank, quoting details of your life insurance policy that you held with them, how much more likely would you be to believe the caller was genuine? If you're an HSBC customer, I would be on my guard for email and telephone borne attacks."

The Information Commissioners Office has been informed of the customer data loss, and said it would decide on any action once the bank's investigations into the whereabouts of the lost information are concluded.

More information and resources on customer data and data loss 

  • Using master data management tools and an MDM system to end data chaos
  • Building a customer data integration business case: Project specifications



Read more on Privacy and data protection