HSBC has alerted its business banking clients that personal identification documents submitted during account applications may have been compromised following unauthorised access to a third-party platform. The bank confirmed via email to customers that identity documents, images, and contact details provided during account setup were exposed. HSBC emphasised that its own systems were unaffected, with passwords, PIN codes, and biometric security measures such as Voice ID remaining uncompromised.
The breach has raised concerns over potential identity theft and fraud. While HSBC reported no evidence of fraudulent activity resulting from the incident thus far, it advised customers to closely monitor their accounts, credit reports, and bank statements for any suspicious activity.
To mitigate risks, HSBC is offering affected customers a complimentary 12-month subscription to Experian’s Identity Plus service, which provides monitoring of personal information and alerts for potential misuse. Additionally, a dedicated helpline managed by Experian has been established to handle enquiries until 8 October 2025.
This breach follows recent high-profile incidents, such as the Harrods data breach affecting loyalty scheme members, highlighting the vulnerability of customer information managed by external providers.
Cybersecurity experts caution that the increasing reliance on third-party platforms for data storage and verification continues to expose companies and their clients to higher risks. This incident underscores the necessity for firms, particularly financial institutions, to enhance due diligence on their technology partners.
HSBC stated it worked with external specialists to investigate the breach and implemented measures to prevent further unauthorised access. The bank reiterated that it would never request sensitive information such as PIN codes or passwords via phone or email and urged customers to remain vigilant against potential phishing attempts.
An HSBC spokesperson commented: “We recently became aware of unauthorised access to a third-party platform holding personal identity information and documents from new HSBC UK business banking account applicants. We have implemented measures to prevent further unauthorised access and have contacted those potentially affected. HSBC’s systems are separate and have not been impacted. Customers can continue to use their accounts as normal. We take the safety of customers’ and applicants’ information very seriously and employ a range of measures to keep this information safe. We are sorry for any concern and inconvenience this may cause.”
