Starling Bank gets passport to security issue hell
A vulnerability in Starling Bank’s online security – and plenty of publicity – has led to the UK challenger updating its internal processes.
Ben McRae, head of customer platform at Arcadia Group, revealed on Twitter that a copy of his passport on the bank’s online support tool could be accessed by anyone with the URL. “No password or authentication was needed.”
He notes that these are the same passport details which are required to authenticate telephone banking.
Initially, McRae spoke to Starling in private. The bank also responded on Twitter that it was looking into it.
However, on 30 December he felt nothing was happening – or it was all too slow: “4 days later – my passport photo is still publicly available @StarlingBank. No explanation – no phone call from a manager as promised. You do not take your customers personal data and security seriously. Personal data breach 101. I will now report you to the ICO [Information Commissioner’s Office].”
Around the same time, McRae posted on LinkedIn about the issue. At the time of writing it has 202 comments – with a lot of arguing over the rights and wrongs.
For example, one comment noted: “I still don’t understand why this is a threat. It’d take an immensely long time for someone to guess the 25 characters. It’s like sharing photos on Google. Only people with the link can view the photo. If you forwarded the URL, the breach is created by you.”
It’s a good point but McRae answered: “Or if Starling employees took it home, or if it was crawled… and it’s not just a photo. It’s my passport?”
His view – shared by others on LinkedIn – was that it took a post to go viral before something was done.
Alexandra Frean, head of corporate affairs at Starling Bank, responded on LinkedIn: “We sent a tokenised URL visible only by you. Others would only see it if you forwarded it to them. We don’t regard it as a breach or an issue for the ICO.”
The bank has also updated its processes to deal with this viral drama.
John Mountain, CIO at Starling Bank, added: “We have implemented even more precautions today. I would also like to comment on another aspect of this. A number of people have raised the question of responsible disclosure with us. This is something I have been working on recently with our head of information security and I hope to publish our policy in January and have the process operating from February.”
It seems McRae is satisfied with the Starling response and he has not gone to the ICO.
Let’s leave the last word to him: “I am not asking for a front page headliner! I want my passport photo taken down! Starling refused to do anything about it until I went to social media. So here we are.”