Stolen information from a bank… and *not* from phishing!

On Friday, I went to Bloomberg’s financial page and browsed a few articles.  I read an article which stated that HSBC revealed that a former employee stole details on 15,000 existing user accounts:

March 11 (Bloomberg) -- HSBC Holdings Plc’s Swiss private bank said a former employee stole details on 15,000 existing accounts, as banking secrecy comes under growing pressure from nations keen to crack down on tax evasion.

An information technology worker took the account information about three years ago, the Geneva-based unit of HSBC said in a statement today. Data were also stolen on 9,000 accounts closed before October 2006, said the bank, which currently has about 100,000 accounts in all.

“This represents a threat to the privacy of our clients,” Alexandre Zeller, chief executive officer of HSBC’s private bank, told reporters today in Geneva. “We deeply regret this situation and unreservedly apologize to our clients.” The bank plans to spend 100 million Swiss francs ($93 million) on improving security, he said.

“This is enormous and no-one expected that it could happen to HSBC so it’s a tough lesson for the whole industry,” says Bernhard Bauhofer, founder of Sparring Partners GmbH, which advises companies on managing their reputations. “There’s an increasing demand for data and there will be other cases because governments are looking for funds; where there’s demand there will be supply,” he said.

The French Finance Ministry said in December that it had data on Swiss bank accounts held by French taxpayers, including names provided by a former HSBC employee.

Switzerland suspended treaty negotiations with France in December because of the HSBC case. After talks in January, France agreed to return the original data to Switzerland and not ask for assistance from Swiss authorities based on the stolen information. France will continue to use the data to pursue tax evaders at home.

“The bank does not believe that the stolen data has or will allow any third party to access any client account,” HSBC said. The accounts were all opened before October 2006, the bank said, adding that it is contacting all clients with Swiss-based accounts.

Switzerland’s banking regulator said it will investigate how the theft occurred and what HSBC did to improve security since 2007. The Swiss Financial Market Supervisory Authority, known as Finma, has been in close contact with the bank since December last year, the Bern-based regulator said in an e-mailed statement today.

Swiss secrecy laws, which threaten bank employees with as much as five years in jail if they divulge client information, have failed to stop workers from stealing data.

The former staffer, Hervé Falciani, was a “trusted employee” who worked for HSBC for more than seven years, Zeller said. He took the data “probably over a period of months” while working on a project to transfer client information between computer systems.

HSBC said it became aware of the theft in the middle of 2008 and Falciani was arrested in Switzerland in December of that year after being denounced by a colleague. He later left the country for France. The bank said it is unsure how Falciani physically stole the data.

“Nobody will ever tell you that 100 percent of data can always be secure because private banking is a human game,” said Zeller. “Data theft is an ever more serious preoccupation within the industry.”

While the stolen data contains numbers and names, the latter could be powers of attorney rather than the client.

This represents an interesting challenge for banks and clients’ security.  Here we have a case of an employee stealing data and governments acquired it in order to look for additional sources of revenue.  However, in contrast to phishing, the acquirer of this data could not use it to gain access to the clients’ data – at least not directly.  Really, is it that much of a stretch to use this as part of a social engineering ploy?  If you have the username, numbers and some more account information, it might not be enough to gain access to the account.  But it might be enough to impersonate the actual client and request a reset of login credentials which could allow an unauthorized user access.

More in my next post.



[Actual picture taken by me of HSBC bank in Geneva, Switzerland]

Skip to main content