HSBC has said some of its US customers’ bank accounts were hacked in October.
The lender said that the perpetrators may have accessed information including account numbers and balances, statement and transaction histories and payee details, as well as users’ names, addresses and dates of birth.
The BBC understands the firm believes that fewer than 1% of its American clients were affected.
It said it had already contacted those thought to have been exposed.
“HSBC regrets this incident, and we take our responsibility for protecting our customers very seriously,” the bank said in a statement.
“We have notified those customers whose accounts may have experienced unauthorised access, and are offering them one year of credit monitoring and identify theft protection service.”
The bank said the online accounts were breached between 4 and 14 October.
It is not clear whether the attackers have tried to make use of the data to steal savings.
A template of the alert sent to customers has been posted online by the California Attorney General’s Office, although the hack was not limited to that state.
One expert said it appeared that the technique involved was a “credential stuffing” in which personal details harvested from elsewhere had been used to gain unauthorised access to the accounts.
“The information made public so far by HSBC is quite limited,” said Prof Alan Woodward from the University of Surrey.
“It is clearly still investigating what happened whilst taking the actions necessary to protect customers and advise regulators.
“There’s a lot more information we’ve yet to see, which I hope HSBC makes public when it has it.”