[BreachExchange] Security nightmare: Lewiston man accesses stranger’s bank info

Audrey McNeil audrey at riskbasedsecurity.com
Tue Dec 5 20:14:28 EST 2017


http://www.sunjournal.com/security-nightmare-lewiston-
man-accesses-strangers-bank-info/

Somewhere in Farmington, Connecticut, is a man who may never know how lucky
he is to still be in possession of his money.

On Friday night, a Lewiston man trying to manage his own bank account was
inexplicably given access to a complete stranger’s banking information.

“I just wanted to log on to my account to see if there’s money to go
Christmas shopping this weekend,” said Bryan Brito, a Key Bank customer.
“It brings me to this strange person’s account.”

Brito could see it all. Checking account, savings account, transfers, not
to mention the private information connected to the Connecticut man’s
account.

“I have access to everything,” Brito said. “It’s frightening.”

What he found more frightening was the response he got after calling Key
Bank to report the problem.

“They told me, ‘Don’t worry. Just don’t worry.’ That’s all I can get out of
them,” Brito said. “I sat on hold for 45 minutes for, supposedly, a
supervisor who said, ‘Don’t worry. We’re taking care of it.’ I can look at
a Connecticut man’s bank statements for the past 10 years. How is that a
‘don’t worry’ situation?”

The Sun Journal didn’t have any better luck. A call to a 24-hour hotline
was answered by a representative who passed on a number for the Key Bank
Corporate Headquarters Customer Complaint Resolution Department. Calls to
that number, and to a third number for bank executive relations, were not
answered.

A message left at the Complaint Resolution Department was not returned.

Brito said his concerns were many. If he was able to access a stranger’s
bank account, he wondered, who was to say that some stranger wasn’t
accessing his?

The Key Bank representative Brito talked to fail to reassure him.

“They said, ‘If someone calls us who has access to your account, we’ll take
care of it,'” Brito said. “I said, ‘If it’s a criminal, are they going to
call you and tell you they have access to my account?'”

Brito said he offered to send bank officials screen shots of the
information he had on his computer.

“They weren’t the least bit interested,” he said. “They weren’t even
interested in his name.”

Brito shared with the Sun Journal images showing the Connecticut man’s
name, address and account information. The newspaper will not publish the
images because they compromise the man’s personal information.

Brito said he was disappointed with the reaction from bank officials: He
had expected a more emphatic response to the security breach, especially
considering the extent of financial information he had accessed. He thought
that by contacting the bank immediately, he might help them nip a delicate
problem in the bud.

“We called them, honestly,” Brito said. “We thought we were helping.”
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20171205/1313c219/attachment.html>


More information about the BreachExchange mailing list