Is it time that financial websites just stopped communicating with customers via email?
I would have thought it was a bit extreme, but I’m not sure banks can be trusted to continue sending out emails to customers. I’ve talked before about how emails from institutions are hard to distinguish from phishing emails, further confusing customers, but what happens when they mess up and send out customers’ personal details in an email?
This is not a new story, but it’s worth mentioning as an illustration of several problems: BBC reported in September that HFC Bank, owned by HSBC, “sent ‘urgent’ e-mails to 2,600 people but an error meant that each address was visible to everyone else on the list”. (I think this means email address, and it would appear to have been stored in the ‘to’ field.) The email called on customers to call a special hotline number — although the BBC article does not say what for.
What compounded the problem was that customers’ ‘out-of-office’ messages started coming back — to all the other people on the list. Most of these messages included home and mobile telephone numbers (and, I should imagine, details of when these people were away from the office). I’ve written before about how dangerous these kind of messages are.
The bank has admitted the mistake, but its mea culpa seems half-hearted, and, dare I say it, dim-witted: The BBC quotes Corporate Director Martin Rutland as blaming human error but adding, “We have been sending e-mails out this way for well over a year. They have never been a problem. In this instance we made a mistake, and we unreservedly apologise for it.” Beggars the question: Why? Why are you sending out emails to people? Are they really necessary? Especially if you don’t seem to be able to do it properly. Emails should be a last resort, and if you really need to contact your customers, phone them, and ask them to call back if they want to confirm that you are really their bank and not a scammer. (Not to mention the issue about why the bank is not using decent email software that has checks against this kind of error, as this opinion piece on Unisys World points out.)
Rutland goes on to deny that customers are in danger as a result of the blunder: “If someone can prove that having their e-mail address sent to another customer has caused them financial loss, then they should contact us and make an appropriate claim. The advice we give is like all financial institutions, never give details of your account out over the Internet.” At one point in the BBC interview he says “if you were to get hold of my e-mail address, I think there’s very little you could do to me to cause me financial damage.” Oh dear. Clearly he has no idea of what he’s up against. That email, with all the addresses contained therein, is bound to have found its way into a phisher’s hands by now, meaning some sophisticated group could work on a well-crafted phishing email to target them.
And the out-of-office messages: These contain useful information that a phisher or social-engineered scammer could use. If they know the sender is out of town and has an account at the bank, they could start getting to work on cracking the online account. Or they could call the guy’s office and pose as a colleague to gain access to his office account, which may well contain passwords and PINs. If they really wanted, they could do it the old-fashioned way: Burgle his house.
Finally, it’s not up to the customer to prove financial loss, it’s up to the bank to protect the customer. If the bank is not busy changing account numbers, redesigning logos, calling each customer individually to explain to them their account is now at risk, then they’re not doing their job. Maybe they are: At the time of writing the bank’s website now appears to be down.