It's a case of customer service gone bad. Lloyds Banking Group, in a quest to simplify account signup and inter-operability between its brands, created a system that could be hacked by someone with virtually no IT skills.
The security flaw, now patched, made hacking someone's account a simple matter of knowing their name, date of birth and home address. With that information, it was easy to break into an account at the Halifax or Bank of Scotland, two banking brands owned by Lloyds.
To attack an account at the Bank of Scotland, an attacker would acquire the personal details of a customer from that bank and then set up an online account at the Halifax. Once the account was established – a process that could be completed in five minutes – the Halifax account would be automatically linked to the Bank of Scotland account.
No attempt was made to verify the Halifax account, and no further verification steps were required to link to the Bank of Scotland account. With that access, it was possible to access details on current accounts, savings, credit cards and mortgages, meaning it was possible to access account numbers, sort codes, balances, overdraft limits, direct debits and standing orders.
Accessing accounts at the Halifax Bank was as simple as opening an account at the Bank of Scotland using the same process.
As the linked accounts were view-only, it would be impossible to take money or make changes to the account, according to a report in MoneySavingExpert.com which broke the story following a tip-off from a reader.
MoneySavingExpert notified Lloyds last week about the vulnerability and withheld publication of the story until the bank confirmed the gaping security flaw had been patched.
Martin Lewis, MoneySavingExpert.com founder, is quoted on its website saying: "In a world where scammers and hackers are getting ever more powerful we need our banks to step up their action, this isn't good enough. The ability to easily view all of someone's banking details is a criminal's Christmas, never mind the potential privacy breach.
"We are often told to protect ourselves but they need to act in a way that protects us too. This wasn't some clever hacker finding a breach, it was simply a design flaw. If they're not much more professional than phishing websites, how are we to judge who's real and who's a fraud?"
The Information Commissioner and the Financial Conduct Authority have been informed of the breach. Lloyds said that new customers must now wait for a postal activation code for new accounts.