Subscribe

More bank clients exposed via e-mail

Paul Vecchiatto
By Paul Vecchiatto, ITWeb Cape Town correspondent
Cape Town, 28 Mar 2003

Banks are learning an age-old lesson all over again: the weakest link in security is people and not computers, as several cases of human error causing breaches of client confidentiality have highlighted.

Investec Private Bank has sent out an e-mail accidentally disclosing the e-mail addresses of a number of its clients. This follows ITWeb`s report earlier this week that First National Bank`s (FNB`s) Corporate BANKit division had unmasked 477 client addresses via e-mail.

ITWeb received an e-mail from an irate Investec Private Bank client clearly showing the personal addresses of people who bank with the institution. Investec Private Bank targets the very rich for clients.

Investec Private Bank national risk manager Mike Leisegang says an "over-zealous employee" caused the mistake.

"The consultant who sent that e-mail out physically entered the addresses himself and did not follow our standard protocol. He had only been with the bank for about five months and was trying to impress his clients."

Leisegang says the employee faces disciplinary action and an apology has been sent to the named clients.

Wayne Preston, head of IT at Investec Private Bank, says the bank is aware of the security breaches that can happen with e-mails so it tries to minimise its use. "For instance, we do not e-mail statements, but rather have a facility where clients can access them through a secure Internet site."

Meanwhile, FNB has sent lawyers` letters to Stuart Mackay, the client who complained about the unmasked addresses on the bank`s bulk e-mail, warning him of consequences should he approach FNB clients or defame the organisation.

FNB Corporate executive director Iris Dempsey denies the letters were of an intimidatory nature. "The letters were sent to inform him about the legal aspects of using the information sent to him in error," she says.

MacKay says he received an e-mail from FNB informing its BANKit clients about changes to its site and noticed that the addressees were unmasked. He claimed he only sent the e-mail to ITWeb after failing to get a response from the bank.

Dempsey says FNB did send him a letter apologising for the mistake on 14 March. "Apologies were sent out within 48 hours of the mistake being committed and that included one to Mr MacKay," she says.

FNB says the e-mail was a case of human error, as the sender had not complied with the bank`s protocols.

"We take security very seriously. At FNB we batch our bulk e-mails so that if a compromise happens then only a small number of the addressees are seen. Secondly, we run test runs to minimise any chance of an error," Dempsey says.

FNB says MacKay is still a valued client and the bank is attempting to patch things up with him.

ITWeb has been told of other instances of similar e-mail confidentiality breaches by other major commercial banks. However, no physical proof has been seen of these allegations.

"E-mail is still in its infancy as a communications tool and we are all still learning," says Dempsey. "We have had some very good response from clients who have shared their experiences with us and made recommendations on how to avoid errors such as this one."

Share