HBOS security glitch leaves thousands vulnerable to fraudHalifax and Bank of Scotland accounts were unprotected

16 October 2015

Online security

Tens of thousands of Halifax and Bank of Scotland customers were put at risk following a security flaw that could have allowed fraudsters to access strangers' bank account details using only their name, date of birth and address.

A glitch in the security process meant that anyone setting up an account could automatically view other financial products held with either bank, leaving customers vulnerable to opportunistic criminals. 

Although further verification checks are carried out before an account can be fully opened, with just three details - the correct name, address and date of birth - criminals could have started the online application process in someone else’s name and found details of any other financial products that person held with Halifax or Bank of Scotland.

The problem was discovered by, after a reader opened a Bank of Scotland account and realised they could immediately view the details of their Halifax current account, despite not having the log-in details.

Halifax and Bank of Scotland (HBOS), part of Lloyds banking group, have 22 million customers between them.

Find out more: read our tips for avoiding phishing and identity theft

Security flaw exposed

Although fraudsters would have been unable to actually withdraw money or set up payments, they would still see account numbers, sort codes, direct debits/standing orders and balances associated with any bank, savings, credit card, loan, or mortgage accounts, using a few basic details. 

These details are all too easy to obtain. Which? reported last year how social media can leave users vulnerable to identity theft, but banks must play their part in making life difficult for fraudsters.

Lloyds maintains that a maximum of 23,000 customers applied for a product in a secondary brand and insists that there have been no instances of fraud or customer complaints, but this hole in the security system highlights how important it is that banks keep customers' sensitive data safe. 

A spokesperson for Lloyds said: ‘We take the financial security of our customers extremely seriously and have advanced safeguards in place across our IT systems. All applications are scrutinised for anything suspicious and this triggers further action immediately.’

Additional security measures have now fixed the problem, with the introduction of a postal activation code for online access.

Some media reports have suggested this problem could date back as far as February 2009, when the sister banks were acquired by Lloyds TSB. This means customers could potentially have been exposed for up to six years, although the group told Which? that this was an issue for no more than two years.

More on this...