HSBC says some of its U.S. customers' bank accounts were hacked in October.
The lender said the perpetrators may have accessed information including account numbers and balances, statement and transaction histories and payee details, as well as users' names, addresses and dates of birth.
It believes fewer than 1 percent of its American clients were affected and it has already contacted those thought to have been exposed. HSBC has offered them "one year of credit monitoring and identity theft protection service."
The bank said the online accounts were breached Oct. 4-14. It is not clear whether the attackers have tried to make use of the data to steal savings.
A template of the alert sent to customers has been posted online by the California Attorney General's Office, although the hack was not limited to that state.
One expert said it appeared the technique involved was a "credential stuffing," in which personal details harvested from elsewhere had been used to gain unauthorized access to the accounts. It is clearly still investigating what happened while taking actions necessary to protect customers and advise regulators.