Welcome to the SecAware blog

I spy with my beady eye ...

7 Feb 2007

Request a bank statement, get 75,000

A database application error (presumably) led to a customer of HBOS (Halifax Bank of Scotland) being sent 75,000 statements for other customers when she requested hers.

Ms McLaughlan, of Netherkirkgate, Aberdeen, said: "I sent away for my bank statements to get a refund on some bank charges. A couple of days later these five packages turned up at my door and they were filled with people's names, credit numbers, what they had paid in, and had taken out every day. The details started from April 2003 and there was also the total of the bank's overdraft."

This is exactly the kind of gross error that output validation is meant to detect and stop. Whilst it is vaguely conceivable that someone may legitimately request such a huge number of statements, the chances are remote enough to make this an exceptional request that can be flagged and held pending human intervention. Of course, it is also quite possible that the HBOS systems did indeed flag this one and someone mistakenly released the output. Doh!

More database security links

No comments:

Post a Comment