At least one UK Cahoot Customer is making a formal complaint to the UKIC
over this. The story about the issue itself is carried at
http://news.bbc.co.uk/1/hi/business/3984845.stm
A few of the comments by people who have "Had their say" are extraordinary,
for example:
"I am a Cahoot customer and although I don't think this is a hugely serious
security breach I am particularly aggrieved to have to find this out from
the BBC rather than from Cahoot. I'd expect better than this from them."
Well, apart from being hugely serious it was also against the law!
-----Original Message-----
From: This list is for those interested in Data Protection issues
[mailto:[log in to unmask]] On Behalf Of Simon Howarth (WSL)
Sent: Friday, November 05, 2004 9:33 AM
To: [log in to unmask]
Subject: Re: [data-protection] Cahoot and Data Protection
I would encourage any Cahoot customers to issue a SAR and ask about audit
trails on access to their account. There should be some.
I bank on the Internet (different bank) with some reservation. Many of the
technical people I know (developers, security specialists etc.) will not
even consider it - maybe that says something about the confidence of
systems?
Abbey should be made to inform every customer whether or not their details
were accessed in this way, or at least provide them with the audit trail of
access so that customers can see if it was them accessing their account or
someone else.
I would also encourage people to consider switching banks. There are many
out there clamouring for your business and whilst no system is perfect, this
sort of error is unforgivable IMHO.
Simon Howarth.
-----Original Message-----
From: This list is for those interested in Data Protection issues
[mailto:[log in to unmask]] On Behalf Of Tim Trent
Sent: 05 November 2004 08:50
To: [log in to unmask]
Subject: [data-protection] Cahoot and Data Protection
Who else picked up on this today?
BEGINS
Cahoot hit by web security scare
A security loophole at internet bank Cahoot allowed customers to access
other people's accounts, a BBC investigation has revealed.
The website, run by Abbey bank, was closed down for 10 hours on Thursday to
carry out urgent repairs.
The site has now reopened and the bank says the problem, which was caused by
a system upgrade, has been fixed.
Cahoot said that even with the flaw, hackers would not have been able to
move money between accounts.
ENDS
The point is that EVERY SINGLE Cahoot customer's personal financial details
and transactions have been opened up to general view. So, if you bank with
Cahoot anyone could have seen your balance, your payments, your income. To
heck with hackers and moving money. It is a major breach of the Data
Protection Act 1998 anyway. Period.
Is the Information Commissioner going to act on this? I imagine it depends
whether anyone complains.
Place your bets NOW!
If Data Protection is not burnt into the brain patterns of every employee
then this could happen in your organisation!
Tim Trent - Consultant
Direct: +44(0)1344 392644 Mobile:+44(0)7710 126618
email: [log in to unmask]
Marketing Improvement Limited, Abbey House, Grenville Place, Bracknell,
United Kingdom, RG12 1BP http://www.marketingimprovement.com
This message is for the intended addressee's use only. It may contain
confidential, proprietary or legally privileged information. No
confidentiality or privilege is waived or lost by any mis-transmission. If
you receive this message in error, please immediately delete it and all
copies of it from your system, destroy any hard copies of it and notify the
sender. You must not, directly or indirectly, use, disclose, distribute,
print, or copy any part of this message if you are not the intended
recipient. Any views expressed in this message are those of the individual
sender, except where the message states otherwise and the sender is
authorised to state them to be the views of any such entity.
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
All archives of messages are stored permanently and are
available to the world wide web community at large at
http://www.jiscmail.ac.uk/lists/data-protection.html
If you wish to leave this list please send the command
leave data-protection to [log in to unmask]
All user commands can be found at : -
http://www.jiscmail.ac.uk/help/commandref.htm
(all commands go to [log in to unmask] not the list please)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
All archives of messages are stored permanently and are
available to the world wide web community at large at
http://www.jiscmail.ac.uk/lists/data-protection.html
If you wish to leave this list please send the command
leave data-protection to [log in to unmask]
All user commands can be found at : -
http://www.jiscmail.ac.uk/help/commandref.htm
(all commands go to [log in to unmask] not the list please)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
All archives of messages are stored permanently and are
available to the world wide web community at large at
http://www.jiscmail.ac.uk/lists/data-protection.html
If you wish to leave this list please send the command
leave data-protection to [log in to unmask]
All user commands can be found at : -
http://www.jiscmail.ac.uk/help/commandref.htm
(all commands go to [log in to unmask] not the list please)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|