This morning I went to use my HSBC credit card to pay for some gas and was told to see the attendant. That’s odd I thought, but since I was in a hurry I tried another card and everything worked fine. I didn’t really think much about the incident and figured it was just an issue with the payment terminal… until I got home and found a letter from HSBC. The letter, dated two days earlier, stated:
This is to inform you that we will be sending you a replacement HSBC credit card with a new account number due to a security breach. Although this breach was not caused by us, we are taking this precautionery step to reduce the risk to your Account. Providing our cardmembers with a safe and credit card experience is one of our top priorities.
The letter then goes on to say when I can expect my new card and how to activate it. No explanation of what happened or how my account was compromised. Way to step up and take responsibility HSBC! WTF? You turn off my card and use snail mail to notify me. Somebody, but not you, got hacked and my info was compromised – but you give me no details on how this happened or which company was breached. Was it a partner? Was it someone you contracted with? And how much of my personal information was possibly stolen? Way to be upfront HSBC! Doing the bare minimum required by law to inform me of the situation shows me how truly dedicated you are to making security a “top priority”.
Turns out that Heartland Payment Systems, a payment processor, was the company that got hacked. Heartland is now being sued for damages by the banks and credit unions impacted by the data breach. The breach has already affected over 500 financial institutions and may be the largest ever disclosed. Banks started replacing cards back in February, but I guess it wasn’t a “top priority” at HSBC until mid-March. More information about the breach is available from Heartland at the appropriately titled 2008 Breach website.