Barclays compromise financial privacy

On September 23, 2009 I discovered a vulnerability on Barclays online banking service which permitted a remote adversary to peruse customer bank statements. Barclays were immediately notified, but defended their system design as a balance between privacy and usability. The Financial Service Authority (FSA) and Information Commisioner's Office (ICO) were also informed. Six months later I published a technical report (http://www.bensmyth.com/publications/10barc/) on the attack. Following media coverage from PC Pro and The Times; Barclays finally fixed the vulnerability on May 17, 2010.

Security researchers widely accept the need for responsible disclosure, that is, notifying service providers and regulators prior to publishing details of system vulnerabilities. However, it would appear that Barclays simply used this period to shy away from their responsibilities, sacrificing their customers right to financial privacy. In addition, regulators failed to react to the problem in a timely manner; in fact, to the best of my knowledge, the regulators still have not reacted.

In this instance it would appear that public disclosure at an earlier date would have directly benefited customer security. Accordingly the research community should consider how best to handle disclosure in the future.