Thursday 11 March 2010

A truly international breach

News is breaking of a breach at HSBC affecting 24,000 customers with Swiss Bank Accounts. The implications of this breach are global, and the press is speculating that the breach could expose those using the accounts to avoid taxation in their home countries.

French authorities have identified a former IT employee of a Swiss subsidiary as the suspect and allege that the former employee obtained the information between late 2006 and early 2007. Initially, when HSBC discovered the breach, it thought it affected fewer than 10 customers. The reality is that approximately 15 percent of the bank’s customers could have been affected.

From a security standpoint there are a number of things that make this newsworthy: First, the breach was allegedly committed by an insider, and insider theft is among the greatest dangers to financial data. Second, it appears that the suspect was attempting to sell the data, with speculation that he was offering the information to countries to identify tax evaders. Third, there is the numbers question. How could HSBC identify “fewer than 10” affected and then have a breach that in reality numbered in the tens of thousands. Finally, there is the question about sovereignty. France is one country that has access to some of the data. It has promised to turn the data over to Switzerland but the plain fact is there is no clear cut law that would prohibit France from using the data against citizens who were using Switzerland to avoid taxation.

With truly international data breaches, how long will it take to get truly international legislation?