App Lloyds, Bank of Scotland e Halifax che mostrano ai clienti le transazioni di altri utenti
https://www.bbc.co.uk/news/articles/c4g23npxpwgo
di Your_Mums_Ex
Tag
Austria
Belgio
Belgium
Bulgaria
Cechia
Croatia
Croazia
Czech
Czechia
Czech Republic
Danimarca
Denmark
Estonia
Europa
Europe
France
Francia
Germania
Germany
Grecia
Greece
Hungary
Ireland
Irlanda
Polonia
Polska
Portogallo
Portugal
Regno Unito
Repubblica Ceca
Repubblica di Turchia
Romania
Serbia
Slovacchia
Slovakia
Slovenia
Svezia
Sweden
Turchia
Turkey
Ucraina
Ucraino
Ukraine
Ungheria
United Kingdom
29 commenti
Never going to live it down if people find out I subscribe to a My Little Pony magazine
Massive GDPR breach. They need to be heavily fined for this.
Too many companies are cutting back on quality control of their IT systems in order to save a few quid. This is a preventable customer data breach.
more and more outages, incidents and security breaches.
take your pick from headcount reduction, outsourcing, AI slop-coding and AI slop-devops.
Well they’ve locked down the apps for now from the looks of it so good luck if you’re with Lloyds group and need to make a transfer this morning
Incoming massive fine from the ICO and probably the FCA.
But I can’t imagine individuals will be able to sue since theres no financial loss.
If I wanted to make an assumption, did the developers of those systems introduce AI-aided coding?
Because you have to have a major screw-up or really bad devs if your system starts showing mismatched account IDs
My bank has sent me a dozen or so messages to tell me that I have gone over my overdraft limit. I hope not, I got paid today and I’m still in bed.
These are three separate banks aren’t they? Are they linked in a business sense? Does one own another?
Not the first time a bank has had a caching issue. You’d think this would be one of the scenarios in their automated testing before releasing any change. Bank account logins are an example of a place you shouldn’t be caching anything, it shouldn’t be too hard to avoid.
Why do I get the feeling this is going to be because of a ‘Vibe Coded’ change they have done recently…
Not a problem for me, i buy all my dildos through a company called Bobby’s Bits. Nobody’s the wiser.
The rigorous test and release process seems to be deficient. No doubt the ai powered automated testing missed this. Could be time to have some biological controls in the loop again.
Having just opened an account with Lloyds and having accounts with multiple other banks, there’s something deeply amateurish about their app and whole digital banking infrastructure, so this is absolutely no surprise.
This’ll be interesting to see how much they’re fined for this GPDR breach
Ha ha. As a smug IT professional myself, how is that outsourcing of IT looking now ya dick heads!?
Oh shit. I am with Lloyds!
“The incident has been quickly resolved”
No it has not! You just shut the app down.
This is a massive failure of basic data security. Cutting corners on IT testing to save money is exactly how these completely preventable breaches happen. The fines for this should be absolutely massive.
> The 55-year-old also reported being able to view benefits payments from the Department of Work and Pensions (DWP), which use the National Insurance numbers of recipients as a payment reference.
I’ve never been on benefits and didn’t realise this was a thing.
To me this seems… unwise?
DWP should surely have an identifier for an individual which isn’t their NI number, which they could use in payment references if they really needed to, which may only be pseudoanonymisation but still would make it more difficult to commit fraud from finding somebody’s bank statement lying around.
I’m not even sure why their payments need any individual identifiers rather than payment identifiers.
AI coding probably. We have too much code being generated and nobody wants to review it properly. And also our ability to review effectively has atrophied
Amex was doing this too, about 2 years ago. Globally I might add (I saw the transactions of a user from another country). No idea if they’ve ever been fined or even acknowledged the issue officially
Unbelievable that something like this can happen in 2025, 1000x more so as a bank.
Did some vibe-coding intern forget to run their tests before hitting deploy or something.
So do we think: crappy code release? f—ked caching strategy? session clashes?
At what point should we be concerned that transactions are not going to be executed in another account?
Eg. Withdrawing £100 from an ATM is deducted from a random account?
Last week Barclays was showing 6 transactions to NowTv in regular payments. Called them as ive never used it and thought my card might have been cloned, oh its just an error and you’ve not been charged.
They’re not alone in the shitness
Sounds like someone screwed up the caching rules on their load balancers. Won’t be the first and won’t be the last.
I am highly confident the failure mode is in the session authentication system at Lloyds.
The way nearly every such application/website authenticates you is that you go to an authentication system which issues you a session token that authorises you to see certain information for a certain time. Your app or browser then presents this session token every time you interact with the bank’s systems (or the social network, or so on).
If that system hands out wrong session tokens, then you get access to other information that you are not intended to get access to. Often that is either a bug in the authentication code or, more perniciously, data corruption in the session data store (due to different bugs) so that correct tokens are generated and stored but wrong tokens are retrieved and given to you.
This has happened before and it will happen again. The idea that it’s absolutely impossible and everyone responsible must clearly be executed on the spot, which seems to be the tone of some other comments, is not quite the reality of the situation.
(Source: 20+ years working on such systems)
Knew this new approach of everyone can use each others app was going to end in tears, it’s been rolled out horribly, the old apps were better
Wow.
A few years ago we changed mortgage provider. Paid off our mortgage.
When we asked for the paperwork and redemption certificates they said they’d been sent.
They didn’t turn up. We then asked where were they sent, thinking maybe broker/new lender.
Nope a completely random address across the country. We asked for explanation and complained. We weren’t overly upset, but found it odd and just wanted to know why.
They gave us £250 and said they were unable to explain why they had been sent there. It seemed the system merged our address/account with a new application. They literally called it an unexplained error!
I’m thinking that the £250 wasn’t enough.
“We made our experienced developers redundant and relocated all our development to Hyderabad. What could possibly go wrong”.
Why after years of these kind of failures do highly paid execs still think it’s cheaper to off shore and experience a massive reputational risk and fine from the regulators?
Who ever signed this off should be named, shamed and have their bonus given to charity.
I’d have thought that the people the banks employ would have had at least enough intelligence to design a system where externally accessible SPI data is encrypted with a per user key so as to avoid information leaks of this nature. Oh, wait these are the same banks where the mobile apps give users complete control over their accounts and force them to use the same app to confirm transactions.
Your security is an afterthought for these companies.
As a TSB customer, I think back to their IT shit show and let me tell you. It was nice getting a “sorry about that” cash payment. Got £350 and I wasnt even put out that much lol. You are all about to get at least a couple of hundred quid once the dust settles. Which is nice, right?