Changing of account data by leading banks placing customer data at risk

Changing of account data by leading banks placing customer data at risk

Changing of account data by leading banks placing customer data at risk

A fresh move by leading banks in the UK to change account data for around one million customers could place such data at risk from hackers, the Financial Conduct Authority has warned.

Leading banks in the UK are separating core services like savings accounts from investment banking, but the transition may expose certain data to hackers.

Bloomberg has quoted an anonymous source at the Financial Conduct Authority to state that the authority is concerned about the security of customer data arising out of a proposed changing of account numbers by leading banks in the country.

The source told Bloomberg that the FCA has let such banks know about its concerns, and has warned them about the potential cyber risks that may arise as a result of the change. The move is aimed at securing customer deposits by ring-fencing them and separating them from riskier accounts like investment banking.

Leading banks like HSBC Holdings Plc, Barclays, Lloyds, and RBS have begun informing customers about their intent to move their accounts and that this may also involve changing their account numbers or six-digit sort codes. The banks are also communicating with their customers and informing them about emerging risks, like people pretending to call from banks and asking them to share their personal information.

'In creating a new system that houses personal data, you’re opening up security holes. The impact of an indiscriminate attack can be substantial,' said James Tedman, managing director in London at ACA Aponix to Bloomberg.

He added that even though the leading banks are aware of such risks, they must urge extreme caution as attacks may come from 'well-financed and sophisticated criminal groups' rather than 15-year-olds in their bedroom.

So far this year, leading banks in the UK had had to weather many a storm, be it cyber attacks sponsored by North Korea or Russia, or regular phishing and DDoS attacks conducted by professional hackers.

Researchers at cyber security firm Trustwave even discovered a new attack technique that involved hackers leveraging the overdraft facility offered by banks to open accounts and steal millions from unsuspecting banks. According to the researchers, the hackers managed to steal between $3 million and $10 million in every heist, with the average amount around $5 million.

Researchers at security firm Barracuda also discovered that hackers are impersonating 'secure messages' from banks to inject malicious codes on their victims' devices so as to obtain sensitive personal and financial information about customers. The emails appear very genuine and by creating them, hackers are exploiting the trust between banks and their customers to infect more and more devices.

Hackers behind the phishing campaign are attaching Word documents to their emails and are asking recipients to download such attachments to view secure and confidential messages from their banks. The emails also contain logos of real banks and feature literature used by such banks in their emails to customers.

Aside from these threats, banks have another major problem to deal with: the GDPR. The upcoming pan-European regulation will make it prohibitively expensive for banks and other organisations if they do not comply with its requirements.

Chris McMillan, a partner at consultancy firm Oliver Wyman , told FT that leading banks are now expressing serious concerns over their ability to adapt to the upcoming legislation. 'Banks are struggling with legacy systems. From our discussions with chief technology officers at banks, they are concerned the technical challenge may be impossible given there is only a year to go,' he said.

In such a scenario, banks need to strengthen their systems and cyber security policies to strengthen the security around customer data as soon as possible. As such, they have a duty to educate customers about identifying real and fake email accounts, not sharing personal information via phone calls, texts, or email messages at any cost and to view offers and new changes only at genuine websites run by banks.

Copyright Lyonsdown Limited 2020

Top Articles

Universal Health Services lost $67m to a Ryuk ransomware attack last year

Universal Health Services said the cyber attack cost it $67 million in remediation efforts, loss of acute care services, and other expenses.

How the human immune system inspired a new approach to cyber-security

Artificial intelligence is being used to understand what’s ‘normal’ inside digital systems and autonomously fight back against cyber-threats

Solarwinds CEO blames former intern for hilarious password fiasco

SolarWinds has accused a former intern of creating a very weak password for its update server and storing it on a GitHub server for months.

Related Articles