HSBC, one of the larger banks in the world, has disclosed a serious data breach in which attackers were able to gain access to a broad spectrum of customer information, including full personal details and transaction history.

The bank said the breach spanned 10 days, from Oct. 4 to Oct. 14, but did not disclose how many customers were affected. HSBC also didn’t specify the geographic locations of the affected customers. In a breach notification letter (.PDF) filed with the California Attorney General’s Office, HSBC said that it suspended online access to affected accounts when the breach was discovered.                    
                       
“The information that may have been accessed includes your full name, mailing address, phone number, email address, date of birth, account numbers, account types, account balances, transaction history, payee account information, and statement history where available,” the letter says.

It’s not clear from the HSBC letter how exactly the attackers gained access to the bank’s systems. The letter says that it became aware of “online accounts being accessed by unauthorized users” which is a pretty vague description. But the bank is having users change their online banking credentials, so it’s entirely possible that the attackers had access to a set of passwords or were trying passwords from a separate data breach against HSBC accounts.

The last 15 years of data breaches have provided attackers with a vast set of usernames and passwords. And history has shown that people are not very adept at creating unique passwords that are difficult to guess, so many people reuse passwords on multiple sites, which, of course, is a terrible idea. Attackers count on this behavior and often will take a set of credentials exposed in one data breach and try those some usernames and passwords against other sites, including email providers, banks, and retailers.

HSBC officials said in the notification letter that the company has upgraded the security of its online banking system as a result of the breach.

“We have enhanced our authentication process for HSBC Personal Internet Banking, adding an extra layer of security,” the letter says.

The breach appears to affect only HSBC customers in the United States, according to a BBC report.

HSBC photo vis Elliott Brown's Flickr photostream, Creative Commons 2.0