HSBC (UK): Playing dumb

A no-profile response to a national newspaper story about a security flaw proliferates the bad impression.

The Site

The UK website of HSBC, the leading global bank, has a Security overview page in the Internet Banking information accessible from within its Personal banking section. The page includes links to detailed advice on, among other topics, ‘Secure personal banking – what we do’, which promises to help customers and potential customers “Find out what we do to keep you secure online”. The page also has details of Get Safe Online, a joint government/private sector scheme launched in October 2005 in which HSBC is a participant.

However, nowhere on the page or in the publicly accessible Secure personal banking information is there mention of the security flaw discovered in HSBC’s online banking system by researchers at Cardiff University and which was reported on the front page of last Thursday’s (10 August) The Guardian newspaper under the headline ‘Security flaw leaves 3m HSBC online accounts open to fraud’.

The Takeaway

While a fair proportion of HSBC’s UK online customers doubtless found some reassurance in its response quoted in The Guardian’s story, the decision to carry on with business as usual on the website is surely missing an opportunity to put across the bank’s side of the story on its own terms.

Many customers – and many potential customers who have no loyalty the bank can call on – will go to the website to see what the bank has to say. Even a simple statement iterating the arguments given to The Guardian would be better than nothing. As it is, the impression will proliferate unchecked by the bank that there is something seriously wrong with its online security. This is an issue about which customers continue to be nervous. HSBC could have used its website to wrest the information initiative from The Guardian, or at least counterbalance it. Leaving the field open to all comers seems like a serious flaw in its risk management.

First published on 17 August, 2006