Security fears as HSBC forgets to BCC
Customer complains of attempt to hack email account after bank sends mass mail to Premier customers with 400 addresses visible in ‘To’ field.
April 25, 2010 2:50 by Ben Flanagan
Some of HSBC Middle East’s wealthiest customers have complained that their privacy has been compromised after the bank sent a mass mailout to its ‘Premier’ customers – whom are required to maintain a minimum balance or investment of AED350,000 ($95,300) – with customers’ email addresses visible in the ‘To’ field.
The customer service email, which was sent on April 21 and contained details of a funds transfer form, disclosed the private email addresses of more than 400 people, including some prominent Middle East business people, in what amounts to a serious security breach.
One customer complained that an attempt was made to hack his email account just two days after the HSBC communication was sent out. The customer alleges that this is down to the email list falling into the hands of fraudsters, although this claim could not be independently verified.
“I’ve already had someone try to hack my email account. I’ve had the same [email] account since 1999 and this is the first time that someone has attempted to reset my account password. I can only assume that ‘the list’ is now in the hands of fraudsters. It’s not really a surprise,” said the customer, who did not wish to be named.
A copy of the HSBC email obtained by Kipp includes the personal email addresses of executives from some of the Middle East’s most prominent companies. These include the CEO of one of the Middle East’s largest media companies, along with staff at firms such as Dubai World, Maktoob, McKinsey, Shuaa Capital, Reckitt Benckiser and the notoriously publicity-shy Trafigura.
Another email seen by Kipp was sent by a disgruntled customer, requesting that the bank “remove my email address from HSBC emails like this [as] I would prefer to keep my banking history private.”
This email was followed by an apology note sent by HSBC to its Premier customers, which explained the issue as “an inadvertent error while formatting the e-mail.”
There is no suggestion that HSBC Middle East’s customers have had their online banking accounts compromised. The bank confirmed this in a written statement sent to Kipp. “No customer bank account security has been compromised as a result this incident. Email addresses are not part of HSBC security protocols, and therefore no account is at risk.”
HSBC apologized for sending the email. “Because of a human error at HSBC Premier, some customer email addresses were visible to other customers in a routine administrative communication. We deeply regret this situation and unreservedly apologise to our customers for this possible compromise of their privacy. Necessary measures will be taken to avoid recurrence of a similar experience in the future.”