Abbey National has admitted that lack of thorough testing was responsible for the security flaw in its Cahoot banking website last week, which allowed customers to access other users’ bank accounts.
The problem was spotted mid-week after the company upgraded its IT system. It let customers access other users’ accounts by inputting only their user ID. In response Cahoot closed the site for 10 hours while it restored security.
Cahoot said, “At no time were customers in danger of having money taken out of their accounts because of this systems glitch, but Cahoot takes all security issues extremely seriously indeed, and has acted quickly to put this right.”
The glitch highlights the need for thorough testing, particularly where confidential customer data is at stake.
Michael Gough, group chief executive of the National Computing Centre, said, "In the light of what appears to be a failure of processes, all banks offering personal internet banking should review their security policy and test their systems to make sure application and infrastructure updates are current.
Martha Bennett, research director at analyst Forrester, said, “It is worrying that banks keep making the same mistake all over again. People’s money is at stake, and also the reputation of the institution, and in a wider context the reputation of the online banking industry in general.”
“It is vital to thoroughly test a system as high-profile and critical as this, every time a systems upgrade is undertaken, to ensure you reduce the risk of these types of failures,” said Martin Davies, consultant at integrator Morse’s IBM division.
As well as the security issues, the mistake also has data protection implications because customers’ details were exposed to the public, said added Bennett.