HSBC has suffered a serious data cut in the retail business of the USA, with fraudsters having access to customer account details, statements of statements and other personal information.
The events took place between 4 and 14 October, said HSBC on Tuesday. The bank said it stopped online access to accounts that were immediately affected and were not aware of any customers who had suffered financial loss.
The breakthrough is the latest in a series of high profile security events in large financial services groups. Although it has had an impact on fewer people than previous cuts in companies such as Equifax and JPMorgan, fraudsters were able to access more detailed information on customers.
A bank spokeswoman said: "HSBC regrets this event, and we take our responsibility to protect our customers very seriously."
HSBC said that it had strengthened its application process and validated and implemented additional layers of security as a result of what happened. It also offered a year of credit monitoring and identity robbery prevention services for customers that are free of charge.
Banks have invested significant amounts in strengthening their cyber security in recent years, but they are still particularly vulnerable to attacks that take advantage of careless customer or employees.
HSBC said that its attackers use a method called "credit stuffing", where offenders use password information and data collected from other websites to access accounts.
The bank encouraged customers to use unique passwords for their accounts and to avoid in particular the use of the same credits that they use on social media.
The biggest cut to hit any US HSBC banking competitors was the 2014 event in JPMorgan, which highlighted names, addresses, telephone numbers and emails almost two-thirds of US homes. In the meantime, hacking on the Equifax credit reporting agency last year affected some 143m users.
By contrast, fewer than 1 per cent of HSBC customers of 1.4m US were affected by the latest cut. However, assailants were able to access a wider range of data including account numbers and transaction histories, according to a letter sent by the bank and issued by the California authorities.