HSBC Turkey has admitted it suffered a major card breach of 2.7 million accounts, but maintained that there was no need to reissue said cards because not enough information was stolen to commit identity fraud.
The bank said in an online FAQ that it discovered the incident over the past week, and that it affected card and linked account numbers, card expiry dates and cardholder names of its customers.
However, it said there is no evidence that other financial or personal information has been compromised and maintained the cards are secure and safe to use.
It continued:
“Only the linked account number was compromised. The content of the account was not compromised. It is not possible to commit fraud with the linked account number. This information is regularly shared by our customers with the 3rd parties when they make money transfers and EFT transactions. No other information was compromised, including account numbers of term deposit accounts or other deposit accounts.”
There is no evidence of fraud as a result of this hack, but if there is in future the bank will reimburse customers, it added.
It is unclear whether the hackers were foiled by internal systems or just inexperienced in knowing which card information they needed to steal.
Trey Ford, global security strategist at Rapid7, praised HSBC for having caught the incident so quickly and with no outside help.
“This is impressive given that the vast majority of breaches are detected by third parties, and often not for months,” he said.
“HSBC is underscoring that cards will not be re-issued at this time, and that the compromised data will not impact internet banking, ATM transactions, and telephone banking services. This is because ‘card present’ transactions require additional information that would be encoded on the magnetic strip, and for ‘card not present’ transactions, the card security code (CVV) would be required to transact business."