HSBC mistakenly reveals almost 200 email addresses of its wealthiest customers on a routine mailshot, following an identical breach last year.
Bank gaffe shows info of wealthy customers
A bank blunder has revealed the personal email details of scores of HSBC's high-income customers for the second time in two years.
The security breach occurred after a mass email was sent on Sunday morning to 178 customers of HSBC Premier, the bank's account level for high earners, advising them that it was due to implement an IBAN number system used for international transfers.
HSBC Premier is the bank's top-level retail account and requires customers to maintain a minimum balance of Dh350,000 (US$95,289) or transfer salary of at least Dh600,000 per year. The email sent by the bank included the names of senior officials at a number of major energy, media and legal firms in the Emirates.
"As a result of a human error at HSBC Premier, some customer email addresses were visible to other customers in an email notification. No other contact details or customer account information was divulged," said Rick Crossman, the head of retail banking and wealth management for the UAE at HSBC Middle East.
"There is absolutely nothing to suggest that this incident would allow any third party to access any client account information. We deeply regret this situation and unreservedly apologise to our customers for this possible compromise of their privacy," he said.
"Necessary measures will be taken to avoid recurrence of a similar experience in the future," Mr Crossman added.
But internet security experts warn that personal email information can be used by fraudsters to dupe customers into providing confidential account information.
"If a hacker has an email address, he will craft an email really looking like it is coming from HSBC, and at the same time he will craft a website really looking like the HSBC website," said Kamel Heus, the managing director in the Middle East and Africa for the anti-virus software firm Sophos. "He will put a link in the email telling the customer they are updating the system and they have to update the customers' record urgently."
One customer, whose email address was mistakenly displayed, said that similar promises had been made to fix security breaches in the past after a lapse a year ago.
"There's something wrong with the way that they're communicating with customers that they need to sort out in a more systematic way," said the customer, who asked not to be named.
In April last year, HSBC customers complained after a similar mass email was sent with recipients' email addresses left unredacted. A bank spokeswoman said the two incidents were not identical, but declined to elaborate.
The bank's data controls have landed HSBC in trouble in the UK, where it was fined a total of £3.18 million (Dh18.41m) by the Financial Services Authority in 2009 after security lapses.
The bank was criticised for losing an unencrypted CD containing details of 180,000 customer accounts, as well as failing to provide staff with sufficient training to prevent identity theft.
The latest error would raise fears among the bank's customers about operational security, said Wissam Khoury, regional managing director of SunGard, an IT services company focused on the financial services sector.
"Many clients would think 'If you do a simple mistake like that, God knows what's going on in the back office'," he said. "This is obviously a mistake, but if your bank makes a mistake, it's not something you'd like to brag about."
* additional reporting by Ben Flanagan and Gareth van Zyl