Abbey
National has admitted that lack of thorough testing was responsible
for the security flaw in its Cahoot banking website last week,
which allowed customers to access other users’ bank
accounts.
The problem was
spotted mid-week after the company upgraded its IT system. It let
customers access other users’ accounts by inputting only their user
ID. In response Cahoot closed the site for 10 hours while it
restored security.
Cahoot said, “At
no time were customers in danger of having money taken out of their
accounts because of this systems glitch, but Cahoot takes all
security issues extremely seriously indeed, and has acted quickly
to put this right.”
The glitch
highlights the need for thorough testing, particularly where
confidential customer data is at stake.
Michael Gough,
group chief executive of the National Computing Centre, said, "In
the light of what appears to be a failure of processes, all banks
offering personal internet banking should review their security
policy and test their systems to make sure application and
infrastructure updates are current.
Martha Bennett,
research director at analyst Forrester, said, “It is worrying that
banks keep making the same mistake all over again. People’s money
is at stake, and also the reputation of the institution, and in a
wider context the reputation of the online banking industry in
general.”
“It is vital to
thoroughly test a system as high-profile and critical as this,
every time a systems upgrade is undertaken, to ensure you reduce
the risk of these types of failures,” said Martin Davies,
consultant at integrator Morse’s IBM division.
As well as the
security issues, the mistake also has data protection implications
because customers’ details were exposed to the public, said added
Bennett.