Sin Bin: Bank of Scotland customer details left wide-open by Lloyds online security hole

The vulnerability would have allowed criminals to open an account using only a person’s name, address, and date of birth, and then view other accounts that person had with Bank of Scotland and Halifax.

The flaw, now patched, involved a combination of poor account verification and a feature that linked Halifax and Bank of Scotland accounts online. An attacker could look up the date of birth and address of a person on social networking or other public websites, then open an account with any email address.

Once the account was created with either Halifax or Bank of Scotland, accounts from the other brand’s site would also be viewable.

For example, an attacker could use the name, address, and DoB of a Bank of Scotland customer to open an online account on Halifax, which would then be linked with the target’s Bank of Scotland account to make the details of both accounts, including account numbers and balances, viewable to the attacker.

Guy Anker, managing editor of personal finance advice site moneysavingexpert.com which broke the news, said his team withheld going public about the vulnerability until the issue was fixed: HBOS now requires the accounts to be verified with a code sent via post.

A Lloyds Banking Group spokesperson said about 23,000 customers were affected by the issue, but no instances of fraud have been reported.

“We take the financial security of our customers extremely seriously and have advanced safeguards in place across our IT systems,” the spokesperson said.

“All applications are scrutinized for anything suspicious, and this triggers further action immediately.”

News of the latest blunder comes soon after another security incident involving Lloyds Banking brands.