HSBC Finance Corporation alerted mortgage customers that it experienced a data breach in late 2014 and early 2015 that revealed the personal information of some individuals.
The financial services company began sending letters to an unknown number of customers on April 9. Officials said they discovered the breach on March 27, and are offering free credit monitoring and identity protection services for one year.
“We are conducting a thorough review of the potentially affected records and have implemented additional security measures designed to prevent a recurrence of such an incident,” a letter to New Hampshire customers stated.
The breach affected 10 HSBC Finance subsidiaries in at least four states, compromising names, Social Security numbers, account numbers and some phone numbers. The data was “inadvertently made accessible” online, the latter stated.
It is unclear which customers have learned about the breach. Companies whose data is compromised must abide by a patchwork of state regulations on notifying consumers, a problem Congress tried to solve in a recent data breach bill.
HSBC Finance did not say how many customers were affected in total, though a security researcher told eSecurity Planet that the figure could be substantial. Six hundred eight-five New Hampshire residents were affected, the company said.