In the letter sent to the California Attorney General’s office, the banking giant said that it had “notified those customers whose accounts may have experienced unauthorised access”, and offered a year of credit monitoring and identity theft protection for those affected.

It said that steps had been taken to “enhance” the online banking authentification process and an extra layer of security added. The hack took place sometime between 4 and 14 October 2018, the statement said.

The latest story underscores the vulnerability of banks and wealth managers, including family offices, from cyber-attacks. In 2014, hackers obtained 76 million JP Morgan client account details, for example, although the bank said no money was stolen. Concerns about security are a reason, some reports have said, why wealth management clients are not keener to embrace new digital banking channels.

In terms of numbers affected, the bank would only say they amounted to less than 1 per cent of its US customer base. Reports have since suggested this is anywhere up to 12,000 accounts based on the lender’s roughly 1.2 million US customers.

It is understood that the hackers used a method known as “credentials stuffing”, where they use login details leaked from breaches at other companies in the hope that they will unlock access to other accounts, including sensitive banking information; it is a trial-and-error approach that basically exploits consumers’ tendency to use the same username and password across a host of services.

Cyber-attacks have become a universal fact of life outside an Amish-style existence, and security specialists paint a complex picture that is hard to manage.

Expert Frans Labuschagne said that financial institutions tread a delicate line between protecting consumers’ data while “still allowing them the freedom to keep engaging in a multitude of online activities”.

Labuschagne, who manages security solutions for the UK fintech firm Entersekt, said that although there is far greater focus on cyber-security and regulations are tightening, the way in which personal data is currently being protected, particularly in the financial industry, does not appear to be working.

Part of the challenge, he said, is “the rapid rise of e-commerce and consumers growing increasingly comfortable with sharing their personal data with multiple websites and companies every day” - a fluency few want to curtail.

Labuschagne believes that traditional approaches are no longer fit for purpose given the level of digital innovation under way. One step is to “make identity protection an active part of a consumer’s financial life”, he said.

In further comment, Corin Imai, a senior security adviser at the threat-intelligence group DomainTools, said financial institutions have been making “large strides in protecting customer data since it is among the most valuable data to steal and potentially the most damaging type of PII to be exposed.”

Imai said that he thought HSBC was taking “the proper steps” in notifying and handling the customers affected, although there has been no official follow up since the disclosure.

A WIRED UK report earlier this year suggested that the bank was not staying on top of encryption updates for browser activity; and a recent study by researchers at UK’s Swansea University ranked HSBC in the bottom five of 25 banks assessed on the technical measures they had in place online.