A security loophole in HSBC's online banking system left millions of its customers exposed to fraud for at least two years, according to a newspaper report.
Researchers from Cardiff University told the Guardian that anyone exploiting the flaw would have been able to break into any of the 3.1 million accounts registered for the bank's internet banking service within nine attempts.
The Guardian did not publish details of the defect, but reported that the fault centred on the way HSBC customers accessed their online banking service.
It said that hackers using so-called "key-loggers" – gadgets or software viruses which record the keystrokes made on a targeted computer – would be able to work out the information needed to gain "unfettered access" to HSBC accounts within a few attempts.
The paper reported that other UK banks use an alternative system, which researchers claim is more secure.
"There are serious issues here," Professor Antonia Jones, who led the Cardiff research team, told the Guardian.
"Banks are in the business of safeguarding your money, and if they tell you that it's safe then you assume that's the case."
"For banks or institutions that are making huge amounts out of their customers not to protect them is pretty scandalous," the computer scientist added.
HSBC said that it was constantly seeking to upgrade its online security and would examine the issues raised in the Guardian's report "very closely".
But the high street bank insisted that the uncovered flaw amounted to an "extremely sophisticated attack" which was unlikely to be used by criminals.
"It is therefore not likely to be a profitable way for criminals to behave. Nevertheless, we are always seeking to upgrade our online security and we will examine the issues raised here very closely," HSBC said.
"Online fraud via HSBC's internet banking system is substantially lower than the market average and we are satisfied that our customers are more than adequately protected."