Thousands of HSBC bank users in Mexico and Latin America report receiving charges of between $2 and $10 on their accounts, a situation that has been repeated on some recently activated credit cards. Through Twitter, users externalized their concern about these charges, as it was unclear whether this incident is a bank mistake or is related to any data protection issues.
Cybersecurity specialists also expressed
concern about how banks allow company transactions in Europe or the United
States when an account is located in Mexico. After a call to HSBC Mexico, it
was revealed that the bank is asking about $20 USD to investigate these
unauthorized charges, in addition to asking users to block their cards, besides
an additional $7 USD fee to issue a new card.
While this seems to be a rather confusing situation for HSBC customers, data protection experts claim to have found the answer. A data breach incident appears to have affected the bank, so it is necessary to contract protection services against identity theft and other frauds.
However, in situations like this, banks are
responsible for offering their customers these protection services for free,
usually for one-year periods. In this case, everything indicates that HSBC has
refused to acknowledge the data breach, pretending that users take charge of
paying for their own data protection service. As if that wasn’t enough, the
bank could have been the victim of a new security incident like the one in
Mexico and other Latin American countries in 2018, although HSBC has not
commented on it.
In 2018, HSBC released a statement stating that
the bank accounts of some customers in the U.S. had been hacked and that
hackers could have accessed information on statements, transactions, balance,
among other financial details, in addition to personally identifiable details
(names, addresses, dates of birth, etc.).
The bank allegedly directly notified all users
potentially affected by this incident: “The safety of our customers is a
fundamental issue, for us. HSBC regrets the incident and assumes responsibility
for protecting the information of affected users, notifying them of
unauthorized access and offering a year of credit monitoring and identity theft
For now the bank is unclear about the
motivations of the attackers, as they could sell this information or even try
to steal money from the accounts themselves. According to an expert related to
the topic, during this incident hackers used a technique known as credential
stuff, in which they collect login data exposed in other incidents to
try to gain access to online banking accounts, social media profiles or emails.
“So far HSBC has revealed very few details
about the incident,” says Alan Woodward, a data protection expert at the
International Cyber Security Institute (IICS). “The investigation is still
ongoing, so the bank is implementing the necessary measures to protect the
information of its customers and keep the authorities on track; soon, many
details will need to be revealed by the bank.”
While the investigation is complete, users are
advised to reset their mobile banking access passwords, in addition to notifying
the bank of any unauthorized transactions. If the bank continues to refuse to
pay for the protection of affected users, it is recommended to record the call
and send it to the agencies responsible for consumer protection, in addition to
posting it on social networks.
He is a well-known expert in mobile security and malware analysis. He studied Computer Science at NYU and started working as a cyber security analyst in 2003. He is actively working as an anti-malware expert. He also worked for security companies like Kaspersky Lab. His everyday job includes researching about new malware and cyber security incidents. Also he has deep level of knowledge in mobile security and mobile vulnerabilities.