HSBC compromised (again)
Results 1 to 3 of 3

Thread: HSBC compromised (again)

  1. #1
    AO Senior Cow-beller
    Moderator
    zencoder's Avatar
    Join Date
    Dec 2004
    Location
    Mountain standard tribe.
    Posts
    1,177

    HSBC compromised (again)

    Source
    April 14, 2005
    HSBC Latest Data-Breach Victim
    By Tim Gray

    British financial giant HSBC is notifying 180,000 people in the United States that their credit information may be vulnerable to thieves.

    The bank said data about customers who used its MasterCard credit cards to make purchases at a retail store may have been exposed.

    HSBC said its card, the General Motors-branded MasterCard, was used at the retailer by approximately 180,000 customers. The bank blamed the antiquated point-of-sale (POS) system at the business, which may have left scores more credit card companies and shoppers vulnerable.

    Under current laws and banking rules, financial institutions are not required to notify cardholders of the potential fraud.

    "There is nothing wrong with the General Motors MasterCard," Tom Nicholson, a spokesman for HSBC, said. "It was the retailer's software system."

    Nicholas said the point-of-sale systems (the machines running the cards system) at the retail stores were retaining credit information instead of "purging" it. The system is supposed to send information immediately to designated banks and then wipe it clean. Older software systems often retain the information and store it on site. The incidents occurred between June 2002 to December 2004.

    Nicholas said the bank is continuing to evaluate the accounts to determine if they may have been affected, but added that there had been no reports to this point.

    HSBC had not disclosed which retail store was involved but several published reports said it was a Ralph Lauren Polo store.

    Visa USA released a statement saying it was aware of a data security breach that possibly compromised Visa credit-card account information and is "working with the merchant, law enforcement and the affected member financial institutions to monitor and prevent card-related fraud."

    HSBC has mailed notification letters to 130,000 customers who shopped at the retailer, and expects the last 50,000 to be completed this week, said Nicholas. Holders of the HSBC General Motors MasterCard will be offered a new card at no cost.

    The situation marks yet another high-profile incident where personal data has been stolen from retailers, universities and financial institutions. The growing reports have touched off public and political debate over who owns what information and how it should be cared for.

    The scandal comes at a time when many institutions holding vital statistics on individuals seems to be vulnerable. As reported earlier this week by internetnews.com, information publisher Reed Elsevier said more than 300,000 people were exposed to scammers on its LexisNexis databases last month.

    In February, credit-check company ChoicePoint (Quote, Chart) announced it had unwittingly handed over the information of 145,000 people to thieves, and several incidents on university campuses last month exposed tens of thousands of records.
    I'm curious as to specifically what has happened that led to this compromise. Is someone collecting the credit machines and syphoning data from them? Merchants improperly handling the data?

    We've done some work for HSBC and one of their vendors, so this strikes pretty close to home. Fortunately, being on the audit and incident response side of the fence, it's a sign of more work to come. Fortunate for us, that is...not the cardholders or shareholders.
    "Data is not necessarily information. Information does not necessarily lead to knowledge. And knowledge is not always sufficient to discover truth and breed wisdom." --Spaf
    Anyone who is capable of getting themselves made president should on no account be allowed to do the job. --Douglas Adams (1952-2001)
    "...people find it far easier to forgive others for being wrong than being right." - Albus Percival Wulfric Brian Dumbledore

  2. #2
    Senior Member
    Join Date
    Jul 2003
    Posts
    813
    Well let's not forget who works at these stores... it's not always somebody that values their job excessively. Combine this with a boyfriend that knows something about hacking [or not even, just somebody that recognizes the potential]. I don't know a whole lot about how data would be stored on that particular machine type, but it wouldn't prove a very hard task to copy the contents for later retrieval.

    It sounds as one of those "could-be" 'frauds' where there's no victim yet but there is a high-risk involved.

    Anyway hopefully the card machines will be changed, and maybe banks will not allow the use of such types of machines [i'm sure there would be some kind of identification for the machine, even remote; unfortunately it would be too late once the card has been swiped].
    /\\

  3. #3
    Member
    Join Date
    Apr 2005
    Posts
    45
    Hi!

    The system is supposed to send information immediately to designated banks and then wipe it clean. Older software systems often retain the information and store it on site. The incidents occurred between June 2002 to December 2004.
    - Some system stored the information on their side to speed-up their internal process. System could further have designed a report-after-transaction just to show that they have a speedy system with CC transactions. Then the issues comes. This should be reviewed (OLDER SYSTEM), especially when the growing rate of CC info thief came from this issue. Wait, since June 2002 and still no major actions (like disallowing such old system, I realized on the second thought that it is also hard to upgrade everything ) from the regulators.

    HSBC had not disclosed which retail store was involved but several published reports said it was a Ralph Lauren Polo store.
    - Individual branches take the responsibilities in choosing their type of system (budget-wise and customer coverage).

    Really this credit information/identity thief issue is getting the highlights lately, too much money involved could really encourage thieves to operate on less-secured premises and able to accomplish such operation.

    -GONE
    an\"to*nym (noun) [Greek: a word used in substitution for another]
    A word of opposite meaning ; a counter-term ; used as a correlative of synonym
    - Dr. Gung-ho

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •