HSBC is informing some customers in the US that their mortgage account information was inadvertently made accessible via the internet.
The bank discovered at the end of March 2015 that 685 mortgage customers in New Hampshire in the US were affected. The bank said it believes the information was made accessible online towards the end of 2014.
HSBC UK told Computer Weekly: "This matter only affects some mortgage customers of HSBC Finance Corporation in the US."
The information potentially exposed included names, social security numbers, account numbers, old account information and possible phone numbers.
“HSBC takes this very seriously and deeply regrets that this incident occurred. We are conducting a thorough review of the potentially affected records and have implemented additional security measures designed to prevent a reoccurrence of such an incident,” said the bank in a statement.
The information is no longer accessible publicly, it added.
Read more about data breaches
- The past 18 months have seen several of the worst ever breaches, but none as damaging as the one at Sony Pictures
- More than 70% of executives say their organisations do not understand fully the risks associated with data breaches, a Ponemon Institute survey has revealed
- The Information Commissioner’s Office issued a warning to shoe retailer Office after a hacker attack exposed the personal data of more than a million customers
HSBC started informing customers on 9 April 2015 and is offering them a free subscription to a service called Identity Guard, which will help the customers identify if their details are being used by fraudsters.
“It not only provides essential monitoring and protection of credit data, but it also monitors internet chat rooms and newsgroups, and alerts customers if their social security number, credit cards and bank account numbers are found in unsecure online locations,” said HSBC.
There were no details on how the bank uncovered the problem or whether any customer data had been used fraudulently.
In 2009, three HSBC companies were fined a total of £3m by the Financial Services Authority (FSA) for failing to protect customer information, which led to two incidents of data going missing.
HSBC Life UK was fined £1.61m; HSBC Actuaries and Consultants was fined £875,000; and HSBC Insurance Brokers was fined £700,000. All of these companies are part of HSBC's insurance business.
The FSA revealed that "large amounts" of unencrypted customer details had been sent via post or courier to third parties.