A security flaw could have left Halifax and Bank of Scotland customers exposed to online fraud, as customers’ account activities were left visible to anyone for as long as six years.
No password was necessary to access personal account details, meaning that cyber crooks could have accessed accounts without needing to hack.
It appears the breach may have been around since Halifax and Bank of Scotland became part of the Lloyds banking group six years ago. Together, the banks have 22 million customers, but how exactly many have been impacted by the glitch is still unclear. A spokesperson for Lloyds banking group said that a maximum of 23,000 customers could have been affected.
The spokesperson added that no instances of fraud have been reported:
We take the financial security of our customers extremely seriously and have advanced safeguards in place across our IT systems. All applications are scrutinised for anything suspicious and this triggers further action immediately.
The security hole meant that to begin the process of setting up a new account nothing more than a name, date of birth and address was needed, although the banks do then carry out further verification checks. Once the account was set up, it would then link to any existing services the customer already had, potentially giving anyone access to see banking, credit card or mortgage activity.
Martin Lewis, founder of MoneySavingExpert, said:
In a world where scammers and hackers are getting ever more powerful we need our banks to step up their action, this isn't good enough. The ability to easily view all of someone's banking details is a criminal's Christmas, never mind the potential privacy breach.
This wasn’t some clever hacker finding a breach, it was simply a design flaw.
The problem was initially discovered by MoneySavingExpert last week, and since the banks were alerted to it security has been beefed up.