Blog article
See all stories ยป

Barclays compromise financial privacy

On September 23, 2009 I discovered a vulnerability on Barclays online banking service which permitted a remote adversary to peruse customer bank statements. Barclays were immediately notified, but defended their system design as a balance between privacy and usability. The Financial Service Authority (FSA) and Information Commisioner's Office (ICO) were also informed. Six months later I published a technical report ( on the attack. Following media coverage from PC Pro and The Times; Barclays finally fixed the vulnerability on May 17, 2010.

Security researchers widely accept the need for responsible disclosure, that is, notifying service providers and regulators prior to publishing details of system vulnerabilities. However, it would appear that Barclays simply used this period to shy away from their responsibilities, sacrificing their customers right to financial privacy. In addition, regulators failed to react to the problem in a timely manner; in fact, to the best of my knowledge, the regulators still have not reacted.

In this instance it would appear that public disclosure at an earlier date would have directly benefited customer security. Accordingly the research community should consider how best to handle disclosure in the future.



Comments: (1)

A Finextra member
A Finextra member 02 June, 2010, 00:31Be the first to give this comment the thumbs up 0 likes

The Times published a follow-up article over the weekend.

Blog group founder

Member since




More from member

This post is from a series of posts in the group:

Information Security

The risks from Cyber cime - Hacking - Loss of Data Privacy - Identity Theft and other topical threats - can be greatly reduced by implementation of robust IT Security controls ...

See all

Now hiring