HSBC Breach of Customer Data 'Inexcusable'
March 11, 2010
The theft of 15,000 records of HSBC Swiss account holders is “inexcusable,” according to a security expert who provides consulting services to financial firms, and the bank should have taken steps to prevent the loss.
“As an HSBC customer, I'm appalled,” said Steve Markey, founder and principal of Philadelphia-based data security and privacy consulting firm nControl LLC whose clients include AIG, Haverford Trust and Printz Capital Management. “As a security and privacy expert, controls should be in place.”
According to Markey, up to 70 percent of all security breaches are a result of insider threats.
Banks need to segregate duties so that only those employees who need to can access sensitive data, he said, and have data leakage and loss prevention technology in place.
“And you can regularly train employees on the ramifications,” he added. “That you will get caught. That you will go to prison.”
Markey also expressed concern about the length of time it took for the loss to be discovered.
“It borders on the criminal that it took three years for this to come to light,” he said. Markey added that the bank should offer credit monitoring services to all those affected.
The issue came to light when the hacker – former HSBC technology employee Herve Falciani.-- attempted to sell 3,000 of the stolen names to French authorities, and the authorities turned the data over to HSBC.
The Swiss Bankers Association criticized the French authorities for taking too long to notify HSBC about the theft.
“We strongly condemn any state that induces such criminal behaviour or indeed rewards it financially,” the group said in a statement.
According to Germany's Der Spiegel newspaper, the HSBC employee also offered to sell the names of 1,300 Germans with Swiss accounts to Germany for 2.5 million euros. This would allow Germany to recover between 100 and 200 million euros in unpaid taxes, German media report. German Finance Minister Wolfgang Schaeuble said he was willing to buy the data, sparking a storm of international outrage.
“I hope the taxing authorities are smart enough to realize that those who live by the sword are likely to die by it,” said Harvey Pitt, former chairman of the U.S. Securities and Exchange Commission, told Securities Industry News.
“I believe government should resoundingly reject purloined data files, and make that objection loudly and unequivocally.” Pitt, now chief executive officer of Washington, D.C.-based consulting firm Kalorama Partners LLC., said. “However tempting it may be to sneak a peek at the purloined data, the most effective way to put a stop to this nonsense is to disincentivize those who might otherwise be tempted to hack into computer systems.”
Pitt said that he gives high marks to HSBC for addressing the problem and apologizing to its customers.
“Those who prey upon computer systems are a menace to modern society,” he said. “Most financial services firms--like HSBC--take elaborate precautions to prevent information theft. But, unfortunately that's not an assurance that they can be successful. The key thing this incident reflects is that financial services forms have to be continuously and perpetually reviewing and improving their firewalls to shut hackers out of their systems.”
