As I pointed out to the bank about bugs or About data leakage

This story has been going on for six months now and is associated with the disclosure of personal information by one of the Moscow banks. Since the error has not been completely eliminated, I will not indicate which bank is meant. For the same reason, I do not post scans of documents here, but "I have them."


I regularly replenish the account in this bank, through the cashier-operator, without experiencing any particular difficulties. It is also interesting that when depositing money, usually no documents are required from the depositor - it is enough to know the name of the recipient and the type of card (they may ask for a number, but I will not mention this). In especially neglected cases (if the recipient's name is Ivan Kuznetsov), they may also ask for the date of birth. Not for security, but to prevent a mistake and not to confuse the recipients.

So, I go up to the cashier, give my name, type of card, amount, bring in money and leave satisfied. And already at home I see that on the credit order issued to me, in addition to the full name and account details, my passport data proudly flaunts. The version that the cashier recognizes me in person was rejected and vague doubts began to creep into my soul ...

"We did not make a scandal ..." (c). A test was conducted first. I went to another office of the bank and replenished the card of my friend (a client of the same bank). It worked, they didn’t even ask my passport, and my friend’s passport details were on the warrant. Repeating the trick in other offices (to eliminate human error and the incompetence of cashiers), we began to think - what to do next.

First, there was a polite message with a description of the bug at info @ <bank website> and the phrase "For the security department" in the subject line of the letter. Silence. Then the same qidul went to the IT department. The same result. And I decided to send an application in free form through the Internet bank.

Here begins the main Hochma. I will not be lazy and partially quote the correspondence ...

My first message:
<...> I bring to your attention information about a deficiency in the bank’s software that allows you to access personal data of a bank client. Namely: when replenishing the client’s account with the depositor, the client’s passport data is printed in the receipt order. Thus, you can find out the passport data of any account holder in a bank <...>. To do this, it is enough to contact any office of the bank and ask to replenish the account of the person of interest, giving his name. After the operation, the cashier will issue a receipt order, which will contain the specified passport data of the account holder. <...> It is interesting that with the usual replenishment of the account (from its owner), exactly the same information is indicated on the order. This suggests that the bank’s software simply does not provide a separate replenishment scenario from the depositor and cashiers conduct this operation as follows as if the account holder were depositing money. I ask you to find the opportunity to eliminate this vulnerability as soon as possible, because data leakage may occur and, as a result of this, lawsuits against the bank from injured persons <...>

They answered me in the tradition of state institutions.
The question was about one thing, but from the bank they answer about another:
Dear <...>! To make a replenishment of the Card Account by a third party, the depositor must, in addition to transferring funds, also give the full name of the owner of the Card account, and if necessary, inform the Bank employee of the card number or card number of the client. The specified information can only be obtained from the account holder with his consent. Sincerely, OJSC AKB <...>

That is, if I myself give the depositor a card number, then I believe him as myself. Yeah, and the key to the apartment ... I got a little pissed off, because you can receive such letters from the district clinic, at worst from the Russian Post, but not from a commercial organization.
I answer the bank:
It seems that you did not catch the essence of the problem. If I, as the owner of the card, give its number to a third party so that it can be replenished, I naturally do this voluntarily. But I DO NOT WANT that after the completion of the replenishment operation this third party will also receive my passport data. But in practice this is what happens (they are printed on the receipt order). It turns out that a third party receives my passport data from the bank, despite the fact that I did not give permission for this transfer. There is a leak of personal information through the fault of the bank.

And in the end, we seem to come to the desired consensus.
From the bank they write:
When funds are deposited into your account at the Bank’s office from third parties, the passport details of the depositor will be reflected in the cash receipt order.

I seemed to be delighted, but my eye caught on the phrase "depositing into YOUR account ...". In any case, a new feature needs to be tested. I send my spouse to put 50 rubles on my card and with bated breath I am waiting for the result. And here begins the natural big top.

Typically, a recharge operation takes a maximum of ten minutes. After 10 minutes, a text message about replenishment falls on the phone, but the wife does not return. Half an hour passes and I'm starting to strain - what if she was tied up for illegal financing of other people's accounts? Finally, the spouse returns and with a wild laugh tells me what happened.

After she called the name of the recipient and gave the money, the account was immediately credited. And they gave her a receipt warrant with my passport data (i.e., everything is as before). But suddenly the cashier became nervous, began to read something on the monitor and asked to return the order. Then the operation was reversed (I later saw this on the statement) and carried out again. The result was another credit order, but with the passport details of the depositor, as promised.
PROFIT? Not. The vulnerability was closed by simply placing a message on my account. I think that it looks something like this: "The client is a bore, when entering the account, print the passport details of the depositor in the order."

But the original vulnerability is not closed! And any fraudster, knowing the name of the person and having information that he has an account with this bank, can get his passport data. And if you're lucky, there’s also a residence address, because sometimes when making money, the cashier says it out loud and asks: “This address, right?” In general, my joy was short-lived, although I kind of protected my own personal data.

That’s the whole story.

PS A question for lawyers - is it possible to sue for such a bank? If so, under what article and where to complain?

UPD: In the comments, they noticed that a similar case a year ago took place in Sberbank.

UPD2: 09/22/2014
A miracle happened! Apparently somewhere in the depths of the bank something clicked and the wheels rolled in the right direction. A friend recently replenished a relative's card in this bank (in cash, from a depositor, i.e. a case similar to mine). So he was asked for a passport and the account holder information was NOT indicated in the order. Hooray, I changed the system! :)
Yes, now you can ... It was Vanguard Bank. And he did grow up in my eyes.

Also popular now: