HSBC has warned business banking customers that personal identification documents submitted during account applications may have been compromised following unauthorised access to a third-party platform.
In an email sent to customers earlier this month, the bank confirmed that identity documents, images and contact details provided when opening a business account were exposed in the breach. HSBC stressed that its own systems remained unaffected, with passwords, PIN codes and biometric security such as Voice ID uncompromised.
The breach raises concerns about potential identity theft and fraud. HSBC said there was no evidence of fraudulent activity arising from the incident so far, but urged customers to monitor their accounts, credit reports and bank statements closely for suspicious activity.
To mitigate risks, the bank is offering affected customers a complimentary 12-month subscription to Experian’s Identity Plus service, providing monitoring of personal information and alerts for possible misuse. A dedicated helpline managed by Experian has also been set up to handle queries until 8 October 2025.
One affected customer, who declined to be named, told Business Matters: “I provided passport details in good faith to HSBC as it was necessary for identification before opening up a business account. Now I’m worried that money will be taken out of the company account by crooks, with the third-party platform having been hacked. Worse, that my passport details could be sold on the dark web.
I had reservations about providing ID proof in the first place because cyber attacks are now so prevalent but you put your trust in the banks to get online security right, including tech partners. Frankly, nowhere is safe in the online world these days and businessmen and women need to be constantly on alert for data breaches involving their details. In the wrong hands, lives and livelihoods are devastated and there is little redress.”
This latest breach comes after recent high-profile cases, including Harrods’ data breach affecting loyalty scheme members, which also highlighted the vulnerability of customer information in the hands of external providers.
Cybersecurity experts warn that the growing reliance on third-party platforms for data storage and verification continues to expose companies and their clients to heightened risks. The incident underscores the need for firms, particularly financial institutions, to strengthen due diligence on their technology partners.
HSBC said it had worked with external specialists to investigate the incident and had taken steps to prevent further unauthorised access. The bank reiterated that it would never request sensitive information such as PIN codes or passwords by phone or email and urged customers to remain cautious of potential phishing attempts in the wake of the breach.
HSBC has been contracted for a response.
Read more:
HSBC warns UK business banking customers of third-party data breach