Earlier today I was attempting to purchase something for our business over the phone from a household-name retailer. After 4 failed attempts at making payment it became apparent that there was a problem with taking payment from my business card. I know there’s no shortage of money behind it, so I couldn’t understand the problem.
I phoned our business bank – HSBC – to try and understand why my payment wouldn’t go through. I spoke with someone on a helpdesk in UK who told me that the HSBC Fraud Team had stopped my card, and that I needed to talk with them. He put me through to India.
Now talking with a lady in India, and struggling a little with her thick accent on a poor quality international line (I’m guessing VOIP), and a lot of background noise at her end, I tried to understand the problem. As best I could ascertain:
HSBC IT systems have been hacked (not that that was the word she used!), and a number of customer card details have been “compromised” (I think that means “stolen” in plain English), and my card was amongst those “affected” (another word for “stolen” I guess). HSBC had reacted by blocking my card to prevent the theft of money from my business account.
What HSBC had not done, based on a check of my postbox, email inbox and telephone for voicemail and/or SMS was tell me that they had done this! They had decided to keep it as a real surprise for me the next time I tried to use my card!!! How kind, I don’t think…
I eventually managed to make the payment and purchase what we needed by having the retailer on one phone, and a man from HSBC Fraud Department on the other simultaneously. Not convenient, and organising it took several hours more out of my working day than I wanted to waste on simply accessing my own company’s money, but at least it happened.
The Man From HSBC India Fraud Team (who was nowhere near as cheery as the Man From Delmonte…) finished our call by saying that “Your card ending **** is no longer valid and you can destroy it.”
Apparently it will take anywhere up to 2 weeks for my new card to arrive, during which time I have no card access to the funds in this business account and must use another instead. In English that means: I now have to use my personal card to make business purchases, then claim them all back afterwards.
A few thoughts on HSBC IT:
- Why are the HSBC IT systems so poor and insecure that sufficient details of any card were stored together in a format where they were either unencrypted, or easily decrypted? My understanding is that this is a clear breach of the PCI DSS 2 standard (which, as it’s been around nearly 5 years, they should really have adopted by now!).
- Why are the HSBC IT systems so poor and insecure that details of any card were able to be stolen (let alone all details for a single card, and unencrypted at that, which is what I understand has happened)?
From a customer service service perspective:
- Why did HSBC not contact me to tell me of the problems with my card, rather than wait for me to find out and then call them? Perhaps they were hoping I wouldn’t notice their massive IT security inadequacies and would simply accept the new card when it arrived and not ask any questions?
- Given that the fault was HSBC’s and not mine, why must I wait nearly 2 weeks without a card to get a new one? Surely they could deliver an express service, by way of an apology for their failings, if they were truly contrite? Which suggests to me there is no corporate contrition for their incompetence.
All in, I’m very disappointed with HSBC, both as a customer and as an IT professional. I’m now faced with 2 weeks of incurring company expenditure on my personal account, then claiming it all back on expenses afterwards. The time this will waste is on top of the time that HSBC wasted for me yesterday. I can’t get time back, so HSBC is frittering away my life!
I’d like to think that HSBC has now fixed their weak IT security and this will never happen again. Obviously the Man From HSBC wouldn’t comment on this although I did ask. I’d also like to think it wouldn’t have happened in the first place. Will HSBC offer me compensation for the trouble they have caused? I doubt it.
Sadly it’s not as though HSBC IT Security failures are new either, because The Sun reported one 7 years ago.
If you’ve been affected by the IT failings of HSBC, or indeed any other bank, feel free to share your experiences with others by leaving a comment below.
And if you’d like to warn anyone you know who may have an account with HSBC that their card may be blocked, and they may not even know it, why not share this post with them?