HSBC Middle East emails some of its highest rollers – using the CC option

HSBC forgot to use the 'blind copy' option when sending an email to 178 of its high-value customers
HSBC forgot to use the 'blind copy' option when sending an email to 178 of its high-value customers

The net result, says The National newspaper, is that the HSBC customers now know the email addresses of their peers.

“The security breach occurred after a mass email was sent on Sunday morning to 178 customers of HSBC Premier, the bank's account level for high earners, advising them that it was due to implement an IBAN number system used for international transfers”, said the paper.

“HSBC Premier is the bank's top-level retail account and requires customers to maintain a minimum balance of Dh350,000 (US$95,289) or transfer salary of at least Dh600,000 per year. The email sent by the bank included the names of senior officials at a number of major energy, media and legal firms in the Emirates”, added the paper.

Rick Crossman, the head of retail banking and wealth management for the UAE with HSBC, is quoted as saying “as a result of a human error at HSBC Premier, some customer email addresses were visible to other customers in an email notification. No other contact details or customer account information was divulged.”

"There is absolutely nothing to suggest that this incident would allow any third party to access any client account information. We deeply regret this situation and unreservedly apologise to our customers for this possible compromise of their privacy", he told the paper.

HSBC seems to be taking the situation seriously, as Crossman added that necessary measures will be taken to avoid recurrence of a similar experience in the future.

The problem facing the bank, however, is that cybercriminals that obtain a copy of the email could engineer a spear phishing attack against the bank's wealthiest customers, Infosecurity notes.

Kamel Heus, MD of Sophos EMEA, agreed, as the paper quoted him as saying that, if a hacker has an email address, s/he will craft an email that really looks like it is coming from HSBC, and at the same time s/he will craft a website that mirrors the HSBC website.

"He will put a link in the email telling the customer they are updating the system and they have to update the customers' record urgently", Heus said.

This isn't the first time that HSBC appeared to ignore the BCC option, as The National says that, in April of last year, customers of the bank complained about a similar situation, although the bank is quoted as claiming that the two incidents were not identical.

What’s hot on Infosecurity Magazine?