A Halifax and Bank of Scotland (HBOS) online security flaw meant balances and transactions were left exposed for others to view – which could have led to a privacy breach for millions, or worse, a risk of fraud.

MoneySavingExpert.com uncovered the security hole last week, and once we'd confirmed it, we alerted the sister banks, both part of the Lloyds Banking Group.

Worryingly, anyone who knew how to break in – and it didn't require any sophisticated computer knowledge – could have accessed bank, savings, credit card, loan or mortgage account numbers, balances and transactions.

We delayed publication until HBOS told us the problem was fixed, and gave assurances the wider Lloyds group was unaffected. HBOS – which has reported the breach to the relevant authorities – says it is "confident" no customers were defrauded as a result. Following our intervention, it has overhauled how new customers apply online.

Halifax and Bank of Scotland have a combined 22 million customers but not all were on this insecure system – the banks don't know the true number of vulnerable accounts, and as we can only speculate, it therefore could be anything from tens of thousands to many millions.

Massive systems flaw explained

The way you could have accessed vulnerable accounts before the fix was as follows:

  • Step 1. You only need three pieces of accurate information – a correct name, date of birth and postal address – to set up a Halifax or Bank of Scotland savings or current account online, not even a correct email address. These are potentially accessible via social media, online tools, rifling through bins and much more. The banks ask more questions but answers to them don't have to be given accurately to initially set up an account. 
  • Step 2. Customers who set up an account, even if they didn’t put any money in, would have got instant access to it online, assuming they followed the correct instructions. This was the key flaw – as you will see from step 3, it resulted in applicants being given instant access to all details without a password or additional security. This is what has been changed as you must now wait for a postal activation code, as we explain below.
  • Step 3. Once an account is set up and viewable online, HBOS automatically links all products customers have with either Halifax or Bank of Scotland, including bank, savings, credit card, loan and mortgage accounts. Therefore, they can see info on those accounts including account numbers, sort codes, balances, overdraft limits, direct debits and standing orders.

HBOS states at-risk accounts were those where a customer had a product(s) with either Halifax or Bank of Scotland (not both), and where a new application was made with the brand they didn’t originally have an account with, ie, they were a Halifax customer and someone applied for a Bank of Scotland account in their name.

Their investigations have determined when the flaw was introduced but they won't tell us precisely when that was. When we first published the story this morning HBOS had told us it was some time since January 2009, but it has since revised that statement to say it was roughly two years ago. Therefore, vulnerable accounts were those fulfilling the criteria above opened since late 2013.

As linked accounts are 'view-only' you could not make any changes to them or take any actions. Therefore, it was NOT possible to move money out or set up standing orders from them. However, you could still view all standard information available from an online account.

Martin Lewis, MoneySavingExpert.com founder, comments: "In a world where scammers and hackers are getting ever more powerful we need our banks to step up their action, this isn't good enough. The ability to easily view all of someone's banking details is a criminal's Christmas, never mind the potential privacy breach.

"We are often told to protect ourselves but they need to act in a way that protects us too. This wasn’t some clever hacker finding a breach, it was simply a design flaw. If they're not much more professional than phishing websites, how are we to judge who's real and who's a fraud?"

The Information Commissioner’s Office (ICO), responsible for upholding data privacy laws, and City regulator the Financial Conduct Authority (FCA) are both aware and are looking into the matter. HBOS reported the flaw to them last week, after we informed the bank about it. Both have the power to fine firms for data security breaches.

An FCA spokesman says: "The bank has made the FCA aware, and we have been liaising with it. All regulated firms are expected to have adequate systems and controls in place so customers' data is not at risk."

An ICO spokesman says: "We're aware of the matter and considering what next steps may be appropriate."

How we discovered the flaw

We unearthed the massive security glitch because a MoneySaver told us when they opened a Bank of Scotland account in their name they were able to view their Halifax current account online despite not having an online log-in for it.

When a Halifax customer volunteer in MSE Towers tested it, and only used an accurate name, date of birth and postal address, they were able to open a new Bank of Scotland current account in their name. Other questions were asked, but they gave a number of incorrect answers to them.

With the log-in generated, they were able to view their various Halifax accounts online. This all happened in less than five minutes.

However, we waited to publish the story until HBOS confirmed the hole was plugged, as Martin Lewis explains: "As a journalistic organisation we were in a quandary as to when to break the story. We know traditional journalism may have exposed the story first and kept an impartial distance from the effect of exposing a hole in a banking system.

"That isn't our style – we're here to 'cut your bills and fight your corner'. So we took the decision it was in the public interest to allow the bank time to fix the problem before reporting it, to ensure customers' money wasn't at risk from our publication. I hope MoneySavingExpert users agree with that decision."

Huge Halifax and Bank of Scotland data security flaw exposed by MoneySavingExpert.com
Huge Halifax and Bank of Scotland data security flaw exposed

HBOS says flaw is 'fixed'

Following our intervention, HBOS last week overhauled its processes so anyone asking for online banking access as part of a new product application (whether they are a new or existing customer) will have to wait for a postal activation code first. It has not made any other changes.

The Lloyds group has also stated all its other brands – including Lloyds Bank, Birmingham Midshires and Scottish Widows – are safe from this flaw.

It also insists it was a coincidence it sent an email to Halifax customers late last week – around the time it fixed this glitch – announcing a "fresh look" to online banking and including the line "your account is as secure as it’s always been".

A Lloyds Banking Group spokesman says: "We'd like to thank MoneySavingExpert.com for bringing this issue to our attention and providing us with the time to investigate this fully.

"We take the financial security of our customers extremely seriously and have advanced safeguards in place across our IT systems. All applications are scrutinised for anything suspicious and this triggers further action immediately.

"We recognise that allowing customers to view linked accounts immediately following an online application could have been used inappropriately in certain, limited circumstances and this will no longer happen."

The bank states some 23,000 accounts have been opened fulfilling the criteria above. However it says it has undertaken a review of these accounts over the past few days and insists there "have been no instances of fraud or customer complaints".

Of course, the issue was not just about how many accounts were opened but the risk the flaw posed to many more people's sensitive data.

HBOS adds that if an account was set up with minimal info given or if it shows any other suspicious signs, its fraud detection systems would flag it for investigation which may later result in access being revoked.

Accounts with no customer-initiated transactions for three years were NOT at risk, as these were classed as 'dormant' and put on a different system.

Have your say