HSBC is notifying over 180,000 of its customers in the US of a data security breach at a retailer that could have allowed fraudsters to access their personal financial information.
According to a report by The Wall Street Journal (WSJ), customers using the bank's General Motors-branded MasterCard - one of the most widely held cards in the US - to make purchases at Polo Ralph Lauren stores are affected by the breach.
HSBC has written to affected customers urging them to replace their credit cards following the incident, which is thought to have taken place a month ago.
WSJ says that although HSBC so far appears to be the only financial institution to admit that it is alerting cardholders of the incident, credit cards issued by other banks also could be vulnerable.
The report cites a statement from Visa USA which says the card company is aware of a data security breach and is working with the merchant, law enforcement and the affected member financial institutions to monitor and prevent fraud.
WSJ also says that although banks have to report breaches that occur in-house or at financial firms they deal with, HSBC wasn't legally required to notify its cardholders of the breach because the incident occurred at a separate retailer, not within the bank or the credit-card company.
California is the only state in the US where companies are required to notify customers when personal data is exposed, but many other states are considering implementing legislation following recent data security breaches at credit data firm ChoicePoint and LexisNexis.