{"id":1411,"date":"2018-04-24T16:12:31","date_gmt":"2018-04-24T15:12:31","guid":{"rendered":"http:\/\/blogs.kent.ac.uk\/unikentcomp-news\/?p=1411"},"modified":"2018-04-24T16:12:31","modified_gmt":"2018-04-24T15:12:31","slug":"expert-comment-bank-botched-upgrade-data-breaches-should-never-have-happened","status":"publish","type":"post","link":"https:\/\/blogs.kent.ac.uk\/unikentcomp-news\/2018\/04\/24\/expert-comment-bank-botched-upgrade-data-breaches-should-never-have-happened\/","title":{"rendered":"Expert Comment: Bank botched upgrade \u2013 \u2018data breaches should never have happened\u2019"},"content":{"rendered":"<p>Commenting on the chaos faced by 1.9 million customers of the TSB, cyber security expert, <a href=\"https:\/\/www.cs.kent.ac.uk\/people\/staff\/sl626\/\">Professor Shujun Li<\/a> of the University of Kent said: \u2018there have been data breaches that should have never happened with any modern e-banking systems.\u2019<\/p>\n<p>\u2018The ongoing IT system failure of TSB surprised me not because of the failure itself. Today\u2019s IT systems are too complicated and dynamic to be totally bug-free, so what is more important is how risks related to such failures are managed.<\/p>\n<p>\u2018What also surprised me is the fact that TSB allowed the buggy system to run through their 1.9 million customers without a proper testing of the new system.<\/p>\n<p>\u2018I was under the impression that TSB got the priority wrong: it seemed that they wanted to offer availability and usability to their customers sooner but forgot about other security requirements an e-banking system must offer.<\/p>\n<p>\u2018From what has happened, it is clear to me that something seriously went wrong with TSB\u2019s procedures on a number of things, including but not limited to:<\/p>\n<ul>\n<li>internal system testing,<\/li>\n<li>customer communications,<\/li>\n<li>information security management and<\/li>\n<li>data protection.<\/li>\n<\/ul>\n<p>\u2018While the system failure is more about lack of availability \u2013 many customers complained that they could not use the e-banking services or even their debit cards, there are also genuine security risks.<\/p>\n<p>\u2018Some criminals (including external attackers and malicious insiders) may have grabbed the opportunities to launch spear phishing attacks and have attempted to steal money from some TSB customers\u2019 accounts.<\/p>\n<p>\u2018The problems with biometrics and one time passwords (the latter won\u2019t be solved until the end of April) also suggested that launching an attack on TSB would be easier now if no other security mechanisms are added.<\/p>\n<p>\u2018If such attacks did happen or are happening, the chaos we have been observing suggested that TSB will have more difficulties identifying such attacks and providing evidence to support investigations by TSB itself and the law enforcement.<\/p>\n<p>\u2018In addition, if all the stories from TSB customers we saw on social media and newspapers are true, then there were clearly data breaches, e.g. one TSB customer said he had seen transactions details of somebody else\u2019s accounts, which should have never happened with any modern e-banking systems.<\/p>\n<p>\u2018While TSB is working hard to fix the system failure, it should also keep its customers and the authorities informed on what went wrong and what will be done to avoid such failures happening again in future.\u2019<\/p>\n<p>Shujun Li, Director of <a href=\"https:\/\/cyber.kent.ac.uk\">Kent Interdisciplinary Research Centre in Cyber Security<\/a> (KirCCS), Professor of Cyber Security at the School of Computing, University of Kent.<\/p>\n<p>KirCCS is currently recruiting <a href=\"https:\/\/cyber.kent.ac.uk\/calls.html#PhDs\">PhD students<\/a> to work alongside Professor Shujun Li and other cyber security experts.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Commenting on the chaos faced by 1.9 million customers of the TSB, cyber security expert, Professor Shujun Li of the University of Kent said: \u2018there &hellip; <a href=\"https:\/\/blogs.kent.ac.uk\/unikentcomp-news\/2018\/04\/24\/expert-comment-bank-botched-upgrade-data-breaches-should-never-have-happened\/\">Read&nbsp;more<\/a><\/p>\n","protected":false},"author":5321,"featured_media":1412,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[57908,122],"tags":[178037],"_links":{"self":[{"href":"https:\/\/blogs.kent.ac.uk\/unikentcomp-news\/wp-json\/wp\/v2\/posts\/1411"}],"collection":[{"href":"https:\/\/blogs.kent.ac.uk\/unikentcomp-news\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blogs.kent.ac.uk\/unikentcomp-news\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blogs.kent.ac.uk\/unikentcomp-news\/wp-json\/wp\/v2\/users\/5321"}],"replies":[{"embeddable":true,"href":"https:\/\/blogs.kent.ac.uk\/unikentcomp-news\/wp-json\/wp\/v2\/comments?post=1411"}],"version-history":[{"count":1,"href":"https:\/\/blogs.kent.ac.uk\/unikentcomp-news\/wp-json\/wp\/v2\/posts\/1411\/revisions"}],"predecessor-version":[{"id":1413,"href":"https:\/\/blogs.kent.ac.uk\/unikentcomp-news\/wp-json\/wp\/v2\/posts\/1411\/revisions\/1413"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/blogs.kent.ac.uk\/unikentcomp-news\/wp-json\/wp\/v2\/media\/1412"}],"wp:attachment":[{"href":"https:\/\/blogs.kent.ac.uk\/unikentcomp-news\/wp-json\/wp\/v2\/media?parent=1411"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blogs.kent.ac.uk\/unikentcomp-news\/wp-json\/wp\/v2\/categories?post=1411"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blogs.kent.ac.uk\/unikentcomp-news\/wp-json\/wp\/v2\/tags?post=1411"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}