Expert Comment: Bank botched upgrade – ‘data breaches should never have happened’

Professor Shujun Li

Commenting on the chaos faced by 1.9 million customers of the TSB, cyber security expert, Professor Shujun Li of the University of Kent said: ‘there have been data breaches that should have never happened with any modern e-banking systems.’

‘The ongoing IT system failure of TSB surprised me not because of the failure itself. Today’s IT systems are too complicated and dynamic to be totally bug-free, so what is more important is how risks related to such failures are managed.

‘What also surprised me is the fact that TSB allowed the buggy system to run through their 1.9 million customers without a proper testing of the new system.

‘I was under the impression that TSB got the priority wrong: it seemed that they wanted to offer availability and usability to their customers sooner but forgot about other security requirements an e-banking system must offer.

‘From what has happened, it is clear to me that something seriously went wrong with TSB’s procedures on a number of things, including but not limited to:

  • internal system testing,
  • customer communications,
  • information security management and
  • data protection.

‘While the system failure is more about lack of availability – many customers complained that they could not use the e-banking services or even their debit cards, there are also genuine security risks.

‘Some criminals (including external attackers and malicious insiders) may have grabbed the opportunities to launch spear phishing attacks and have attempted to steal money from some TSB customers’ accounts.

‘The problems with biometrics and one time passwords (the latter won’t be solved until the end of April) also suggested that launching an attack on TSB would be easier now if no other security mechanisms are added.

‘If such attacks did happen or are happening, the chaos we have been observing suggested that TSB will have more difficulties identifying such attacks and providing evidence to support investigations by TSB itself and the law enforcement.

‘In addition, if all the stories from TSB customers we saw on social media and newspapers are true, then there were clearly data breaches, e.g. one TSB customer said he had seen transactions details of somebody else’s accounts, which should have never happened with any modern e-banking systems.

‘While TSB is working hard to fix the system failure, it should also keep its customers and the authorities informed on what went wrong and what will be done to avoid such failures happening again in future.’

Shujun Li, Director of Kent Interdisciplinary Research Centre in Cyber Security (KirCCS), Professor of Cyber Security at the School of Computing, University of Kent.

KirCCS is currently recruiting PhD students to work alongside Professor Shujun Li and other cyber security experts.