A breach notification letter sent to the New Hampshire Attorney General’s Office by the HSBC Finance Corporation has revealed that sensitive mortgage information of customers of a number of its subsidiaries has been potentially compromised.
The subsidiaries in question are Beneficial Financial I, Inc., Beneficial Homeowner Service Corporation, Beneficial Maine, Inc., Beneficial Massachusetts, Inc., Beneficial New Hampshire, Inc., Household Finance Corporation II, Household Finance Corporation of Alabama, Household Financial Center, Inc., and Household Realty Corporation.
According to the letter, the name, account number, Social Security number, old account information, and occasionally telephone numbers of 685 New Hampshire residents was “inadvertently made accessible via the Internet” during a period between the end of 2014 and March 27, 2015.
“This is an example of breach notification laws in action, for both good and bad. We’re finding out about this breach because HSBC has been required to notify residents of New Hampshire who were affected, but the notification laws vary across states and countries so that the extent and impact is obscured,” commented Tim Erlin, Director of Security and Risk at Tripwire.
“With so many of the banks subsidiaries being named, the number of those affected will likely be quite substantial,” Troy Gill, Manager of Security Research at Appriver, noted.
“Since HSBC does not appear to be claiming that they suffered a breach by hackers it seems that they may have inadvertently stored the data in a manner that made it accessible on the internet. In this case it is the data could have potentially been compromised by countless groups/individuals to be used for nefarious purposes . With personal information including social security numbers being involved, this could have a severe impact for their account holders.”
HSBC Finance obviously thinks so, too, so aside from notifying the potentially affected customers about the breach and advising them to be on the lookout for fraudulent transactions, they have also offered free identity theft victim recovery services (if they have been victimized) and credit monitoring and identity theft protection services by Identity Guard.
The latter service monitors credit data, but also internet chat rooms, newsgroups and other sites to detect if any Social Security number, credit card number or bank account number has being posted.