http://securityratty.com/tag/aib Wed, 28 Nov 2007 14:08:26 +0000 iRatty Engine http://blogs.law.harvard.edu/tech/rss http://securityratty.com/article/20b04978d19103432c6503fb7cdb0888 http://securityratty.com/article/20b04978d19103432c6503fb7cdb0888 Fri, 28 Dec 2007 10:15:45 +0000 payment advice slips aib wrong addresses computer error thursday AIB confirms payment receipts mix-up http://securityratty.com/article/e9e4e49686bbca7d3d82fcf2967adea5 http://securityratty.com/article/e9e4e49686bbca7d3d82fcf2967adea5 Security Breach

Date Reported:
11/21/07

Organization:
Allied Irish Bank (AI

Contractor/Consultant/Branch:
None

Victims:
Certain AIB customers who made or received international payments between November 13th and 15th, 2007.  Some customers of other banks involved in the transactions may also be affected.

Number Affected:
11,000*

*AIB customers, unknown number of victims that are customers of other banks

Types of Data:
Names, addresses and "private bank account details".

Breach Description:
The announcement from AIB sums this breach up well; "A technical problem occurred in the issuing of these advice notices to some AIB customers that made international payments between the 13th and 15th November 2007. This affected 15,000 payment advices, which were sent in error to the wrong customers."

Reference URL:
The Irish Times Story
Computer Weekly Story
RTE Business Story

Report Credit:
The Irish Times

Response:
From the sources cited above:

A significant error at AIB bank earlier this month led it to send 15,000 notifications to its customers containing the private bank account details of other individuals. A total of 11,000 AIB customers are affected by the move, writes John Downes

Last night, it also emerged that some of the bank account details sent to AIB customers in recent days relate not just to AIB accounts, but also reveal the names and bank account details of customers with other banks.

It is understood that as many as 7,500 of the notices contained the names, addresses and full bank account numbers of AIB customers.This means these details, contained in notices relating to "inward" payments, are now in the possession of other customers of the bank.

Most of the remaining "outward" payment notices included the name of a bank account holder, usually with a bank other than AIB, and their account numbers, but not their address.

A bank spokesman said the information in question was no more or less than would be contained in a company invoice or cheque
[Comfyllama] Which wouldn't be a big deal if this information were meant to be public, but it WASN'T.

However the error, which AIB said was the result of a "technical problem" in the issuing of international payment advice notices, has been labelled a "serious breach" by a spokesman for the Office of the Data Protection Commissioner.
[Comfyllama] Sounds like someone made a change to one or more internal systems, likely without thorough testing and/or validation.

Customers of the bank who either received or transferred an international payment between November 13th and 15th are affected by the error.

Those who received the notices were wrongly provided with details relating to someone else's transaction. As a result, they were incorrectly told the transaction related to their account.
[Comfyllama] Can you imagine receiving a notice that X number of Euro (EUR) were transferred from your account, and you had nothing to do with it.  My heart would just about burst out of my chest!

The bank stressed that no customer accounts have been incorrectly credited or debited as a result of the error. A company spokesman added that it had "nothing whatsoever" to do with computer "hackers" or other unauthorised parties attempting to access its system.

AIB has informed the Office of Data Protection Commissioner which is awaiting an AIB report on the matter in the coming days. The company said it would allow affected customers to change their bank account details should they so wish.

"AIB regrets that this occurred and is currently writing to each customer involved to apologise, to explain how this occurred and to reassure them that this was an isolated error," the bank said.

One of the incorrect notices, seen by The Irish Times , wrongly informed the customer that a payment of €5,000 had been made from their business account to an account with the Bank of China.

Commentary:
Errors will always be a part of our daily lives, but at the same time we should do everything within reason to prevent them.  In IT, this is one of the primary reasons for proper change control processes.  As a part of most good change control, testing and validation are completed before the change is successful.  If testing and/or validation fail, a roll-back is initiated.

I'm not sure what AIB's change control processes or procedures are, but in this case they appear to have failed.  I am also not sure how sensitive the data involved actually is, so determining the risk to victims is a little sketchy.  Many IT folks aren't particularly fond of change control (and documentation in general), but this may be a good case to demonstrate its importance.

Now that I think a little more, these changes should have been thoroughly tested on a test platform prior to production implementation also.

Past Breaches:
Unknown



]]> Wed, 28 Nov 2007 14:08:26 +0000 bank account bank account details aib bank bank account aib details wrong customers customers AIB technical problem discloses details of bank transfers