Topic: My bank fucked up. (Read 1234 times)

Long Island Power Authority did this last year...

They simply "Replied To All" an apology.

Kinda Classic.

Yes, there are 'datatilsynet' (Agency that is concerned with privacy issues) which I called today, the employee I talked with said I could file a complaint, dunno why he couldn't take one over the phone. He didn't seem too interested though. Don't know what I could achive by filing a complaint, not even sure if the bank would get a fine ?

And there's of course 'finanstilsynet', (Agency that's concerned that banks are adhering to the current legal framework) not so sure they would care about some e-mails sent to the wrong people.


Yes, there are several free e-mail providers that I could do it through. Not sure if any of these would accept that many (hundreds) recipients though.

Is there an appropriate government office to send this information to?

There must be some way to anonymize your email address, spammers seem to do it all the time.

First, Stephen Gornick, you hit the nail on the head. Also a very entertaining story. You're correct in that for people to act, they need an incentive. When a customer complains they just brush it off, but have some agency call them that could actually shut them down if they don't behave, then they suddenly stand all erect and yells: "Yes Sir, Yes Sir!"


Yes, I thought of e-mailing them all asking them how they felt about their bank distributing their corporate e-mail address to hundreds of recipients like this. Not sure though, if the bank ever found out, if the situation would turn against me, and create trouble for me.

Simply notifying the recipients would not be commercial so it wouldn't violate U.S. anti-spam (Unsolicited Commercial E-mail) laws.  I don't know the laws in that jursidiction.  Adding Bitcoin could cause it to be interpreted as being a commercial message.  

Regardless that's more like a boiler room type / telemarketer tactic.  The message about Bitcoin as a pseudonymous store of value will reach them eventually, it is probably is best not to give a bad first impression.

Revenue resulting from direct emails by a few aggressive salespeople: Tens or hundreds of thousands of dollars.
Losses resulting from data leakage by the same aggressive salespeple: [About ten minutes of time from some customer service rep, maybe a supervisor has to say Oh so sorry, K Thx Bye.]

Net result:  More of the aggressive salespeople will continue just as before, data privacy be damned if it happens.


Years ago there was a division at Kaiser (a very large hospital system in the U.S.) that had a form for doctors to use for referring patients to outside surgeons.  At the bottom of the form was a fax number for use on their inside phone system (TIE Lines).    At some point, this form was distributed to doctors outside their system.  Coincidentally, I had a fax number (eFax) that was the exact same number as that Kaiser TIE line number after the TIE line number was prefixed with my area code.

Several times a week I would get faxes from doctors offices referring their obese patients for bariatric bypass surgery.  At first it was quite entertaining ... people were claiming to their doctors that they ate cucumbers and bread crumbs yet watched their weight zoom, up from a number that started with a three to even bigger numbers.  But at the same time I was getting each patient's name, address, SSN, phone, next of kin, height, weight, race, hair and eye color, psychiatric counseling history, pre-existing conditions, etc.  All huge HIPAA violations.

For some I would call the doctor's offices and make a plea that they figure out the error in their process.   I continued to get faxes -- often from the same doctor's offices, and sometimes they were even sent by the same people I had previously talked to on the phone.  They were simply blowing me off.  It wasn't costing them anything.

Then I appealed to Kaiser.  They passed the buck because they weren't the ones sending me the faxes ... essentially "not our problem, contact the private doctor's offices directly".  

The faxes were arriving with increasing frequency so I simply took a sample of forms received for the week and attached them to an e-mail that I had written to the Medical Board of California.  Within about 24 hours I had gotten written apology e-mails from Kaiser (the same person who had previously said "not our problem" was now acutely aware of whose problem it was and was apologizing profusely) and from each of the doctor's offices whose faxes i had forwarded to the State.

Kaiser's rep assured me that each doctor in their system would become aware of the problem and if I were to receive any more faxes to please let them know.   I did get just a few more after that and then they stopped arriving and that was that -- except for one about six months later, from a new hire using the old form from a training manual was the explanation that I was told.

Alternatively, you could email every address the bank leaked to you and tell them:
- The bank leaked their email addresses
- How using Bitcoins will allow them to remain anonymous and not rely on a 3rd party
- Links to more info about Bitcoin

I have seen this often, from both sides of the customer/company relationship. Poorly trained and/or indifferent employees are often trusted with sensitive information, usually due to equally apathetic managers and supervisors. All you can do is your due diligence and safeguard your own interests the best you can.

In all fairness, I don't think this particular bank is better of worse than any other bank, I've just come to accept the fact that most people are just completely indifferent when it comes to IT security.

The bank in question was DNB Bank ASA (https://www.dnb.no/)

Could you share the name of the institution so we know to avoid it in the future?

In one of my domestic banks I have a socalled 'customer contact agent'. This individual already announced his assignment to me twice, with weeks aparts. "Congratulations, you've been assigned a new 'customer contact agent'. And today, in all his eagerness to please his employer, he sent me an offer for a 'free' seminar where I could learn more about pension plans. Oddly enough, in my e-mail box, there was another e-mail from the same contact 2 hours later, stating that the previous e-mail was recalled. Obviously this didn't work or had any effect in my e-mail client, and I guess it had no effect in several of the hundreds of others customers receiving the same e-mail.

After further inspection I saw that all the bank branch corporate customers were cc'ed on the e-mail. ALL OF THEM. Many with first name of the person responsible for banking stuff, with the company name behind, like [email protected].

First off, a bank should never divulge information to any third party except when required by law. So I immediately called the bank and asked about talking to the head of IT Security, after lots's of fiddeling around by the receptionist, I was finally passed through to some person that absolutely did not have a clue, but who took my number and name, and then the branch manager called me back a few minutes later.

The only thing he could say about the incident is that he was ashamed and very sorry, but that the damage was already done. I told him how the information released could be used in numerous phishing scenarios, and how easy it is to extract information from other online sources, giving a contact persons name, name of company, and which bank they use. E-mail accounts could be hacked, and the hacker could gain access to information that could be used in new e-mail dialogues with the bank, or continued dialogs. With all the information that could be gleaned from such a leak, clever social engineering could be used for monetary gain as well.

I asked the bank to immediately remove my dedicated 'customer contact agent' and block all his access to my accounts. I'm stunned that a serious financial institution is not able to secure the customers information any better than this. Checking in my online banking account, there wasn't even a mention of my e-mail, which I immediately changed to another one, so this means that the bank is storing my e-mail in some other internal systems as well, that I have no chance to alter.

As this bank uses a pin code generator for login, and a dedicated user name for each account, which both are sent through the mail with no other verification, I'm wondering if an attacker simply could claim he had forgotten his pin, and then ask for a new pin generator sent to an address of his choice, or he could pose as the bank, and ask the customer to send the pin generator to a 'security company' quoting that there was something wrong with the pin generator security, and it needed to be adressed. Perhaps that would be a dead giveaway, but if somebody calls and adresses the customer by name, and present themselves as 'security administrator' of the bank, I think some may have been fooled.

Or, some clever hacker could simply make a man-in-the-browser attack and distribute the code to the customers through some recent exploits.

The bank claims they can never do any monetary transfers initiated by e-mail communication, but I wonder if all the countless bank clerks adhere to that rule, esp. for customers that they already have a high level of trust in.

If an attacker were to change the physical address of a bank account holder, I guess he could have a new pin generator and code sent to that address as well. With mule accounts, the money could rapidly be extracted from an ATM by some shady mule.

Some non-tech people may downplay the seriousness of this issue, but I think it's pretty serious, and that it shows that the bank doesn't have good enough routines to deal with customer data. I also wonder how the 'customer contact agent' happened to paste all those hundreds of addresses into the CC-field. Did he extract it from some internal system where he puts down notes on which customers to 'trick' next, ie. selling worthless overpriced products and so on. Perhaps he just stored all the adresses in a word-document ?

I think a serious bank should never have an incident like this, and actually there should be technical measures in place that prevented it from happening in the first place. Ie. if a bank clerk needs to send an e-mail to a group of people, this should be added to the e-mail program by IT, so the clerk just needed to select 'corporate customers', and then the message would go as bcc to each of those customers. There shouldn't be a possibility for a bank clerk to paste hundreds of e-mail message into the CC or TO field and press send.

I think this is extremely amateurish, and not something you would expect from a professional financial institution.

For those wanting a copy of the e-mail I received, I won't give it out, as I don't want to contribute to escalate the issue.

But this only goes to show that it's not only amateruish bitcoin shops that fucks up. Even large multi-million-dollar banks are not stronger than their weakest point most incompetent employee.