TSB leaks customer data; SIM-swap fraud increases

TSB has encountered a cascade of problems since trying to break away from their former owner Lloyds.

The problems began during a migration of customer data from systems owned by Lloyds, to their own systems managed by Sabadell. While online services where unavailable for many, some of their five million customers tried to use phone banking services, which became overwhelmed by demand.

The bank sent letters acknowledging the technical issues, but some of these letters included the personal information of other customers.

Criminals smell blood

It didn’t take long for criminals to recognise the opportunity presented by the chaos at TSB. Whether they were using information leaked by the bank, or simply using the chaotic situation to mask their activities, criminals began sending phishing messages by text and email, in an attempt to gather even more information to support their scams.

SIM-swapping scams

Mobile banking is wonderfully quick and easy, but it also makes our phones a tempting back-door for determined criminals. Access to your phone can also mean access to your cash.

Criminals now attempt to take over your SIM card, as this then gives them access to your text messages and your phone number. Before they can take control of your SIM, they have to do their homework. By gathering information about you, they can then try to convince your mobile phone operator that they are you. Once past security checks, they claim that you have lost or damaged your SIM card, and request to have another SIM card, one that they possess, activated. If this is effective, they are then in possession of your text messages, and they can also send texts and make calls that appear to be from you.

Once in control of your SIM, scammers attempt to log in to your bank account online. If password reminders or other verification checks are sent to your phone, then they will pick them up, and use them to easily access your accounts.

And once they have access to your account, it’s easy enough to transfer money to accounts they control. And to make matters worse, scammers often create parallel accounts in the victim’s name. Transferring money to the new account is easy because it appears as though the customer is just moving money between their own accounts.

Breach of data protection rules

In addition to the disruption, upset and loss caused to many TSB customers, the bank may also face the wrath of the Information Commissioner’s Office, who said they are, “continuing to make enquiries in relation to TSB and we are aware of ongoing issues. Customers who are concerned about their personal data can contact us.”

Clearly, the problems at TSB are connected to the challenging task of migrating five million customers to entirely new banking and communications systems. However, it may take some time for TSB to recover from this crisis, and reassure customers that their data – and money – are safe in their hands.

How are you managing your GDPR compliance requirements?

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.

“In a world older and more complete than ours they move finished and complete, gifted with extensions of the senses we have lost or never attained, living by voices we shall never hear.”