Lawmakers' fury at HSBC data loss
Monetary Authority urged to take action after bank plays down security risk
HSBC came under fire from legislators last night for a 'horrible' and 'absurd' security breach after admitting that a computer server with details of 159,000 accounts had disappeared from its Kwun Tong branch.
The deputy chairman of the Legislative Council's security panel, James To Kun-sun, asked why HSBC had sat on the information for so long after reporting the loss to police and the Hong Kong Monetary Authority on April 26.
Mr To and the deputy chairman of the financial affairs panel, Ronny Tong Ka-wah, rejected attempts by the bank to play down the risk to customers.
'Any kind of invasion of privacy brings serious damage, not just in money terms,' Mr Tong said.
They were speaking after the bank confirmed the loss but said the risk of data leaks and fraudulent transactions was 'deemed to be low'. It said the server held account numbers, customer names and transaction details, but no personal identification numbers, passwords or user IDs.
The server is understood to have disappeared during renovations at the bank last month.
Describing the loss as 'horrible' and potentially one of the most serious leaks in the banking industry, Mr To said the types of missing data would be enough for fraudsters to obtain more important data.
'It would not be surprising for someone to hand over his or her PIN numbers after receiving detailed transaction records purportedly to be from the bank.' He said the HKMA should demand an immediate report and called for the bank to give full details of what remedial measures it had taken.
The bank 'should have published the case much earlier, so as to alert the customers to protect themselves', Mr To said.
Mr Tong said the situation was absurd and called for the bank to change the account numbers of affected customers as soon as possible.
Earlier, HSBC Holdings executive director Vincent Cheng Hoi-chuen had been tight-lipped in response to media inquiries, saying he could not give details as the case was being handled by the police.
Asked whether affected customers would receive compensation, Mr Cheng replied: 'I do not see there is any damage to the customers. If there are any complaints, we will deal with them.'
The HKMA said it had asked HSBC to contact affected clients and explain to them the implications of the incident and measures the bank would take to protect their interests. 'Affected customers should also be advised on what steps, if any, they should take to monitor their accounts and safeguard their interests,' a spokesman said.
The Consumer Council was also critical. Chief executive Connie Lau Yin-hing said: 'The bank should contact affected customers telling them if they need to change their account passwords and to cease bank services on the internet.'
Roy Ko Wai-tak, manager of the government-backed Computer Emergency Response Team Co-operation Centre, said he did not think customers had too much to worry about as the most sensitive data would be protected.
But Charles Mok, chairman of the Internet Society, disagreed. 'Even with encryption, professionals can still access the data if they have the time.'
