twitter facebook rss

HSBC IT Security: No Sale

Posted by on May 29, 2014.

By Richard Smith (Twitter: @ncsmiff)

HSBC, global bank, looks as if it could do with a hearty dose of global IT security. Let us traverse some of the timeline and sketch a few conclusions.

In the US, in April 2005, HSBC told 180,000 customers that their credit information might be vulnerable to thieves. It was mostly someone else’s fault, in the opinion of an HSBC spokesman:

“There is nothing wrong with the General Motors MasterCard,” Tom Nicholson, a spokesman for HSBC, said. “It was the retailer’s software system.”

In India, in June 2006 HSBC lodged a complaint with the Bangalore police:

HSBC Electronic Data Processing (India) Private Ltd. has claimed that an employee stole confidential data and misused it to defraud 20 of the bank’s customers in London to the tune of $425,000.

The company is a back-office processing and customer support operation of British bank HSBC Bank PLC.

In a complaint lodged with the Bangalore police on June 22, HSBC Electronic Data Processing alleged that Nadeem Kashmiri accessed personal information, security information and debit card information of some of its U.K. customers and passed it to “co-fraudsters” who conducted phony transactions through cash machines, debit cards and telephone banking services.

Officials at HSBC Electronic Data Processing were not immediately available for comment.

In the UK, in April 2007, HSBC Actuaries lost an unencrypted disk in the post. The disk contained details of 1,917 pension scheme members, including addresses, dates of birth and national insurance numbers. That was too small a breach to make the headlines, at first. HSBC told its insurance department to sharpen up its act. Alas, six months later, part of HSBC’s insurance department turned out to be deaf:

The HSBC banking group has admitted losing a computer disc with the details of 370,000 customers.

The disc was lost four weeks ago after being sent by courier from the bank’s life insurance offices in Southampton.

The customers’ details included their names, dates of birth, and their levels of insurance cover.

An HSBC spokesman reassured everyone that it was just a one-off (my bolding):

Despite the reassurances from HSBC, the bank admitted that although the data on the disc was protected by a password it had not been encrypted.

A bank spokesman explained that normally the data on its life insurance customers was sent to its reinsurance firm in Folkestone by an electronic link.

On this occasion, in the middle of February, this link was not working, so instead the data was downloaded onto a disc and sent by the bank’s normal postal service operated by the Royal Mail.

“We hold up our hands and say it wasn’t good enough,” said the spokesman.

It’s already more of a two-off, than a one- off, of course. That little discrepancy couldn’t catch the BBC’s eye, because they didn’t know about HSBC Actuaries’ earlier screw-up.  The FSA, then the UK’s financial regulator, who did know about the earlier small incident, got quite interested, after the later big one. In due course, the one-off/two-off story died miserably (my bolding again):

HSBC’s first loss in the post was an unencrypted floppy disk containing details about members of a pension fund in 2007.

The bank warned its insurance arm over the issue, only for HSBC Life to then lose a CD containing the unencrypted details of customers six months later.

When the FSA swooped to investigate HSBC, it found unencrypted customer details routinely being sent by post or courier while other confidential customer information left lying around the office could easily have been stolen.

The HSBC insurance subsidiaries were fined £3.2 Million by the FSA, who intoned:

In areas where we have previously warned firms of the need to improve, people can expect to see fines increase to deter others and change behaviour in the industry.

HSBC Life was fined for losing the details of 180,000 client accounts. Apparently, then, 190,000 of the 370,000 customer details that they initially reported lost, turned out not to have been lost after all. This blogger couldn’t find an explanation of the discrepancy; maybe I’m the one who hasn’t got a grip.

Meanwhile in the US, HSBC had already found an ingenious new way to screw up:

HSBC Bank officials acknowledged late last week that a bug in its imaging software accidentally revealed the confidential personal information of an unknown number of customers going through bankruptcy proceedings.

In documents (available here in PDF format) filed Thursday with the New Hampshire Attorney General’s office, the bank admitted that it failed to completely redact information on forms that were filed between May 1, 2007 and Oct. 17, 2008.

This time it was the software’s fault:

In notification letters the bank began sending out in October to affected customers, it said that some of the information may have been viewable “as a result of the deficiency in the software used to save imaged documents.”

Meanwhile in Switzerland, HSBC had another problem on the brew, which eventually hit the press in December 2009:

The banking company HSBC Holdings said Wednesday that an employee had stolen client data from its Swiss private bank in 2006 and 2007.

Later, the French budget minister, Éric Woerth, confirmed a newspaper report that the HSBC employee had passed stolen information to French tax authorities, Reuters said.

HSBC said the employee, who was no longer with the bank, had been working for its information technology department, and the theft was reported after a period of police surveillance in 2008.

Happily, ‘tis but a scratch, to the best of the bank’s knowledge:

“To the best of the bank’s knowledge, the number of names potentially involved is less than 10,” HSBC said.

The best of the bank’s knowledge turns out not to be all that good. By March 2010 they have a better idea:

About 24,000 clients of HSBC’s private banking operation in Switzerland had personal details stolen by a former employee, the company has admitted.

But there is still room for improvement in the best of the bank’s knowledge. Whatever agonized internal enquiry produced that estimate of 24,000 clients by March 2010, the effort was wasted. A quick look at Bloomberg back in December 2009 would have produced a better answer much more quickly and much more cheaply:

The data stolen from HSBC Holdings Plc’s private bank in Geneva includes information on 130,000 clients from around the world, Le Journal du Dimanche reported, citing Eric de Montgolfier, chief prosecutor in Nice, France.

A former employee at the Swiss bank leaked the information to de Montgolfier, who is probing possible money laundering, the newspaper reported, without identifying the worker. The Finance Ministry in Paris also received some of the data that was stolen and is using it to investigate the 3,000 or so French taxpayers on the list, JDD said.

Citizens of Colombia, Italy and “many other countries” are among the 130,000 clients whose data was stolen, according to the newspaper.

Naturally one would be shocked, shocked, if there was any suspicion of tax evasion or money laundering at HSBC Private Bank (Switzerland). However, by April 2010 there is more detail, not from HSBC, of how those 130,000 client accounts map onto individual people, and the beginnings of a feeding frenzy by some very happy tax authorities:

Bosses at HSBC Private Bank (Switzerland) admitted last month that details of 24,000 bank customers were taken by an IT worker at the bank three years ago. However, analysis of the stolen files shows that they refer to 127,000 accounts maintained by 79,000 people, French prosecutor Eric de Montgolfier said on Wednesday, AFP reports.

French police obtained the encrypted files after raiding former HSBC computer specialist Herve Falciani’s home in France back in January 2009. Authorities in France are seeking to use the data to investigate suspected tax evasion by wealthy French taxpayers.

Italian authorities are also interested in the data as part of a similar investigation into money laundering and tax evasion.

HSBC has said it would refuse to help authorities hoping to use the stolen data for tax evasion investigations.

Any tax evaders or money launderers at HSBC Private Bank (Switzerland) might well have felt that by then, it was a little late for HSBC to be withholding help.

At least there’s no real need for an HSBC spokesman to point the finger this time: it’s pretty obvious that this is all Herve Falciani’s fault. IT security types would nevertheless suggest a more illuminating diagnosis: HSBC Private Bank (Switzerland), like HSBC Electronic Data Processing (India) Private Ltd and like the HSBC insurance subsidiaries in the UK, never had effective access controls, for a start.

A governance specialist would add that the main HSBC board evidently never had much idea what was going on at HSBC Private Bank (Switzerland), either. A 2013 retrospective on the whole affair and its ambiguities suggests some reasons why this accountability-averting obliviousness might have been more of a feature than a bug:

The account data later was passed along to tax authorities in European countries—including France, Spain, and the U.K.—who have used it to collect more than €1 billion ($1.34 billion) in back taxes. Falciani says the data has also provided leads for ongoing investigations of corruption, money laundering, and terrorist financing. The Geneva bank provided an “open door” for such illicit activity, Falciani told a Spanish court earlier this year.

Arguably, then, HSBC Private Bank (Switzerland)’s godawful IT security, and Falciani’s exploitation of it, was a Very Good Thing, after all; if not for HSBC’s clients, then at least for French, Spanish and British taxpayers, and if Falciani’s account can be trusted, for unidentified law enforcement and antiterrorism agencies too.

Despite all this kerfuffle, it’s clearly business as usual elsewhere in the HSBC empire. In October 2012, HSBC still hadn’t solved chronic access control problems, now manifest in the US, and their incident-handling and PR hewed to established tradition:

International bank HSBC reported on Tuesday that a recently-resigned employee walked away with crucial customer information in July of 2012.

The information included HSBC customers’ names, phone numbers, account numbers and account types.

At the time of reporting, HSBC had drafted a letter to customers informing them that their information was stolen but it was unclear whether the letter had been sent. HSBC did not immediately respond to a request for comment.

Neither the letter, nor the report, specified what types or how many customers were affected by the theft.

California law requires businesses to report data breaches to the state. Though HSBC’s breach happened on July 27th, 2012, HSBC reported the incident on Tuesday.

The letter does not state why it took so long to report the breach.

Whatever corrective measures HSBC Bank USA undertook in California after mid 2012, they hadn’t had much effect in New Hampshire by the end of 2013:

HSBC recently began notifying an undisclosed number of customers that their personal information may have been inappropriately accessed by an employee (h/t

On November 1, 2013, the company learned than an employee who was authorized to access customer account information had done so with the intention of misusing the data. The information involved in the incident includes customers’ names, Social Security numbers, personal identification numbers (i.e. driver’s license numbers), phone numbers, account numbers and account types.

HSBC has uncovered fraudulent activity on three of the affected accounts. “Although our investigation is ongoing, the employee has been terminated and HSBC has reported this incident to the New York Special Fraud Unit for further investigation,” HSBC North America executive vice president for corporate compliance Gillian Van Schaick wrote in the notification letter [PDF].

Just three accounts are affected. ‘Tis but a scratch.

Meanwhile there’s another tax haven kerfuffle on the brew, in Jersey:

UK tax authorities are in the early stages of examining a recently received leaked list of 4,388 British residents who bank with HSBC in the tax haven of Jersey.

HM Revenue and Customs confirmed it was probing the list, following a report that serious criminals were banking in the Channel Islands, for potential tax evasion.

“We can confirm we have received the data and we are studying it,” HMRC said in a statement. “Clamping down on those who try to cheat the system through evading taxes and over-claiming benefits is a top priority for us, and we value the information we receive from the public and business community.”

The information is the latest in a string of illegal leaks of private offshore financial details from some of Europe’s most controversial tax haven jurisdictions. HMRC is reported not to have paid for the information on HSBC accounts, though that could not be confirmed.

The bank insisted on Friday morning it had not been notified of any HMRC investigation. “Should we receive notification, we will co-operate fully with the authorities,” HSBC said.

HSBC (2012) seem to be more cooperative than HSBC Private Bank (Switzerland) (2009). “Autre pays, autre moeurs”, one might say; in some respects, though, it does seem to be exactly the same HSBC:

A report in the Daily Telegraph suggested those on the list hold a total of £699m with the bank and may also have billions of pounds in investment schemes. The list is said to include one drug dealer, an individual convicted of possessing more than 300 weapons at his house in Devon and three bankers already accused of fraud.

The Jersey regulators have a hot potato:

Financial regulators in Jersey have launched an inquiry into HSBC, one of the biggest banks on the island, following a leak of the names of thousands of bank account holders said to include individuals with a history of links to drug and gun crime.

The move follows confirmation that UK tax authorities had also begun eagerly working through the list looking for possible evidence of discrepancies in British offshore depositors’ tax affairs.

The leak is highly embarrassing for Jersey, which claims to have comparatively tough regulations for its licensed banks, requiring them to know who their customers are and where their funds come from.

“Jersey has got some of the toughest anti-money laundering regulations in the world, as assessed by the IMF [International Monetary Fund],” said Jersey treasury minister Philip Ozouf. “There are many jurisdictions with banking secrecy and much lower standards than we have. We are a global leader in this area.”

Geoff Cook, chief executive of the island’s powerful lobby group Jersey Finance, said: “This is a serious matter and we note HSBC’s immediate commitment to co-operating with any investigations carried out by the relevant authorities and welcome the clear position taken by the JFSC [Jersey Financial Services Commission, the island’s financial regulator] that any failure to adhere to Jersey’s clear standards will be robustly investigated and acted upon.”

If you thought that jokes about incest on small islands were boring, tired and tasteless long ago, think again. Geoff Cook used to wear another hat:

Before joining the financial lobby group Cook was head of wealth management for HSBC and before that worked as deputy chief executive of the bank’s operations in Jersey.

Mindful of the potential conflict of interest, Mr Cook will of course be very careful what he does with that powerful lobby group. Let us see how the story develops: hot potato or damp squib?

It should be abundantly obvious by now that ISO27k, the information security standards family, (quick link for amnesiac cheapskates), isn’t among the ISO standards that HSBC has adopted, in Hong Kong itself, or elsewhere.

IT security consultants reviewing the back story and scenting a massive global prospect might want to ponder certain difficulties.

First: if ten years of data breaches, frauds, scandals and fines haven’t got HSBC highups beating at your doors already, they probably aren’t going to be all that interested in your pitch now, either.

Second: there’s not much evidence that HSBC subsidiaries always pay attention to any IT security edicts emanating from the top of the organisation anyway. One might expect certain implementation difficulties for a centrally sponsored IT security project.

Third: if, improbably, you did manage to make the sale and execute the project, you might be helping secure the data of tax avoiders, fraudsters and terrorists, as well as good honest clients. Is that what you want? The usually effective rejoinder, which is that one can’t be so prissy about it, because no bank’s client vetting could ever be perfect, looks unconvincing in the case of HSBC, the nonpareil, as of 2012, of moneylaunderers:

HSBC was guilty of a “blatant failure” to implement anti-money laundering controls and wilfully flouted US sanctions, American prosecutors said, as the bank was forced to pay a record $1.9bn (£1.2bn) to settle allegations it allowed terrorists to move money around the financial system.

Hours after the bank’s chief executive, Stuart Gulliver, said he was “profoundly sorry” for the failures, assistant attorney general Lanny Breuer told a press conference in New York that Mexican drug traffickers deposited hundreds of thousands of dollars each day in HSBC accounts. At least $881m in drug trafficking money was laundered throughout the bank’s accounts.

“HSBC is being held accountable for stunning failures of oversight – and worse,” said Breuer, “that led the bank to permit narcotics traffickers and others to launder hundreds of millions of dollars through HSBC subsidiaries and to facilitate hundreds of millions more in transactions with sanctioned countries.”

As you might expect by now, HSBC may not have fallen over themselves to fix that problemette, either:

HSBC has made some progress in improving its anti-money laundering program as required by a 2012 deferred prosecution agreement with the U.S. Justice Department, but there remains “much work to be done,” federal prosecutors said in a Tuesday court filing.

The British bank paid nearly $2 billion (1.2 billion pounds) in penalties in December 2012 to resolve charges that it failed to stop hundreds of millions of dollars in drug money from flowing through the bank from Mexico, and it promised to fix the problems.

The government had selected independent monitor and former New York prosecutor Michael Cherkasky to monitor HSBC’s compliance with the agreement. The Tuesday report describes Cherkasky’s conclusions to date.

“Based on his Initial Review and subsequent conversations with the Bank, the Monitor believes that the leadership of HSBC Group is appropriately committed to addressing the Bank’s longstanding compliance deficiencies,” the Justice Department said in the filing.

It added that Cherkasky, who hired dozens of experts to help him, found that many of the bank’s actions to correct anti-money laundering deficiencies “did not begin in earnest until early 2013,” after it entered into the agreement.

HSBC reportedly disputed that finding and “maintains it did act promptly to begin remediation efforts prior to 2013,” the court document states.

More than two years prior to the agreement, an order by HSBC’s regulator, the Office of the Comptroller of the Currency, cited failures to properly police high-risk cash transactions and ordered anti-money laundering improvements.

HSBC spokesman Rob Sherman declined to comment.

Fourth, if HSBC were ever to be suspected of actually exercising control over what goes on at their subsidiaries, those moneylaundering incidents (oops, there’s another one, reported in 2013) might start to entangle the great and good on HSBC’s main board, and that would never do. IT security is one such control mechanism.

So if you still want a bit of that ambiguous conflicted global mess, dear IT security consultants, then by all means go ahead and pitch.

This blogger has an alternative recommendation: forget the sale, get the popcorn, and look out for amusing statements, non-statements, cluelessness, fingerpointing and other miscellaneous ducking and diving by HSBC spokesmen in the years to come. There will assuredly be plenty more.

Leave a Reply

Your email address will not be published. Required fields are marked *

Submitted in: Expert Views, Richard Smith | Tags: , , , , ,