Banking giant HSBC is in the news again.  This time, the bank has lost a computer server from the Kwun Tong branch, located in Hong Kong.  Sometimes, having a huge international footprint just means having more problems.  If you’ll recall, HSBC had announced last month that they had a data breach in the UK, when a disk with details of 370,000 customers went missing.

The lost server contained the data of 159,000 customers, and unlike the incident with the disk, customers should be worried about this particular incident.  According to The Standard, a Hong Kong publication, the data in the lost server contains names, account numbers, and transaction records.  The last could be used to zero-in on high value customers and attempt some kind of spear‑phishing type of scam, I reckon.

The bank has stated that the chances of a data break are minimal, since the “server is protected by multiple layers of security which are regularly reviewed.”  No further details on security were given.  The government is encouraging HSBC to release more details in order to further reassure the public.

One thing that caught my attention in the article was the following quote:

Internet Society chairman Charles Mok Nai-kwong said even though the server has been encrypted, there may still be ways to access the data.

"I do not know how advanced the system is or the skill of those who want to access the data. But if the server goes to the police, they will have ways to get the data," Mok said. [all emphases are mine]

Huh.  Really?  How did this guy know the server was encrypted?  And, apparently, the NSA should outsource some of their work to the HK police.  These guys are like, super cops.  No wonder Jackie Chan took on the role of a HK police officer when he starred in the movie…SuperCop.  Three times.

Maybe there were translation issues when the article was written.  I’ll tell you this much, though.  If the above quote is true and the HK police can easily break the encryption on HSBC’s servers, the bank must have teamed up with the worst data security company this side of the Mississippi.

The point of having full disk encryption is to prevent anyone not holding the passwords from getting to the data.  If the police can get into it, chances are others can, too, and this defeats the purpose of having encryption.  One could argue, well, perhaps the HK government requires a backdoor be installed on any encryption products used in Hong Kong, and only the police know about it.  Again, that becomes a security risk.  The best encryption software do not have backdoors—and people tend to migrate away from such products if a backdoor is found.

Consider AlertBoot, for example.  It offers a number of different encryption algorithms at different strengths (RSA, AES; 128-bit vs. 256-bit or higher; etc.) that are considered by experts to be the encryption standards of this day.  Plus, try as they may have, the experts haven’t been able to find a *** on these encryption methods, including backdoors.  I don’t know what Mr. Mok knows, but if HSBC had gone with AlertBoot, he wouldn’t have offered that statement.