HSBC in the US has begun notifying an undisclosed number of customers that their mortgage account data may have been inadvertently published on the Internet.
The exposed information included customers’ name, account number, social security number, and old account information, including some telephone numbers.
HSBC confirmed the breach in a letter to the New Hampshire Attorney General's Office, where disclosure is mandated under State law. The bank says that 685 residents of New Hampshire are among those caught up in the breach.
The incident impacted a host of HSBC subsidiary firms, including lenders in Maine, Massachusetts, and Alabama, among others.
The bank learned of the incident late last month and says that customer data may been exposed since the end of 2014.
"We are conducting a thorough review of the potentially affected records and have implemented additional security measures designed to prevent a recurrence of such an incident," the bank writes. "We have ensured that the information is no longer accessible publicly. The company has notified law enforcement and the credit reporting agencies of the incident."
Tim Erlin, director security and risk, Tripwire, comments: "This is an example of breach notification laws in action, for both good and bad. We’re finding out about this breach because HSBC has been required to notify residents of New Hampshire who were affected, but the notification laws vary across states and countries so that the extent and impact is obscured."