This story has been going on for half a year already and is connected with the disclosure of personal information by one of Moscow banks. Since the error is not completely eliminated, I will not indicate which bank I mean. For the same reason, I do not post scans of documents here, but "I have them."
I regularly replenish the account in this bank, through the cashier-operator, without any special difficulties. It is also interesting that when depositing money from the depositor, they usually do not require documents - it is enough to know the recipient's full name and the type of card (they may ask for the number, but I don’t remember this). In particularly neglected cases (if the recipient's name is Ivan Ivanovich Kuznetsov), they can still ask for the date of birth. Not for the sake of security, but not to make a mistake and the recipients are not confused.
')
So, I go to the cashier, call my name, card type, amount, deposit money and leave satisfied. And already at home I see that on the credit order issued to me, in addition to the full name and account details, my passport details proudly flaunt. The version that the cashier recognizes me in the face was rejected and vague doubts began to creep into my soul ...
"We did not scandal ..." (c). First, a test was conducted. I went to another bank office and replenished the card of my friend (client of the same bank). It worked, my passport was not even asked, and a friend's passport details flaunted on the order. Having repeated the trick in other offices (to eliminate human error and incompetence of cashiers), we began to think about what to do next.
At first there was a polite message with a description of the bug on info @ <bank site> and the phrase “For the security department” in the subject line. Silence. Then the same tsidulya went to the IT department. The same result. And I decided to send an application in free form through the Internet bank.
Here the main Hochma begins. I will not be lazy and partially quote the correspondence ...
My first message:<...> I bring to your attention the information about the existing flaw in the bank software, which allows you to access the personal data of the bank customer. Namely: when replenishing the client’s account by the depositor, the client’s passport details are printed in the credit order. This way you can find out the passport details of any account holder in the bank <...>. To do this, it is enough to contact any office of the bank and ask to fill in the account of the person of interest, calling it a full name. After the operation is completed, the cashier will issue a credit order, which will contain the specified passport details of the account holder. <...> It is interesting that with the usual replenishment of the account (from its owner) exactly the same information is indicated on the order. This suggests that the bank’s software simply does not provide for a separate account replenishment scenario from the depositor and the cashiers perform this operation as if the account holder is making money. I ask you to find an opportunity in the shortest possible time to eliminate this vulnerability, because data leakage may occur and, as a result of this, claims against the bank from the affected persons <...>
They answered me in the tradition of public institutions.
The question was about one thing, but from the bank they answer about the other:Dear <...>! In order for a third party to replenish a Card Account, the depositor also needs to transfer the full name of the Card Account holder and, if necessary, tell the Bank’s employee either the card number or the client’s Card Account number. This information can only be obtained from the account holder with his consent. Sincerely, OJSC AKB <...>
That is, if I myself give the depositor a card number, then I believe him as myself. Yeah, and the key to the apartment ... I was somewhat angry, because such formal replies can be received from the district clinic, at worst - from the Russian Post, but not from a commercial organization.
I answer the bank:It looks like you didn’t catch the essence of the problem. If I, as the cardholder, give her number to a third party so that it can complete the deposit, I naturally do it voluntarily. But I DO NOT WANT that after the completion of the replenishment operation this third party also received my passport information. But in practice this is what happens (they are printed on the receipt warrant). It turns out that the third party receives my passport information from the bank, moreover, I did not give permission for this transfer. There is a leak of personal information through the fault of the bank.
And in the end we seem to come to the desired consensus.
From the bank write:When depositing funds into your account at the Bank’s office from third parties, the passport details of the depositor will be reflected in the cash order.
I seemed to be delighted, but my eye caught on the phrase “deposited into YOUR account ...”. In any case, a new feature must be tested. I send my wife 50 rubles to my card and wait for the result with bated breath. And here begins the natural tent.
Usually, the top-up operation takes a maximum of ten minutes. After 10 minutes, a phone message about replenishment falls to the phone, but the wife does not return. Half an hour goes by and I am already beginning to strain - what if she was tied up for illegally financing other people's accounts? Finally, the spouse returns and with a wild laugh tells me what happened.
After she called the recipient's full name and gave the money, the account was immediately credited. And they gave her a receipt order with my passport data (i.e., everything was as before). But suddenly the cashier was nervous, she began to read something on the monitor and asked to return the order. Then the operation was reversed (I later saw this in the statement) and performed again. The result was another credit order, but with the passport data of the depositor, as promised.
PROFIT? Not. The vulnerability was closed by simply putting a message on my account. I think that it looks like this: “The client is a bore; when credited to the account, print the passport details of the depositor in the order”.
But the initial vulnerability is not closed! And any scammer, knowing the person’s full name and having information that he has an account with this bank, can get his passport information. And if you're lucky, the address of the residence is also, because sometimes when making money the cashier says it out loud and asks: "This address, right?". In general, my joy was short-lived, although I sort of protected my personal data.
That's the whole story.
PS Question to the lawyers - and you can sue for such a bank? If so, for which article and where to complain?
UPD: In the comments we noticed that a similar case
took place a year ago in Sberbank.
UPD2: 09/22/2014
The miracle happened! Apparently somewhere in the depths of the bank, something clicked and the wheels rolled in the right direction. An acquaintance recently replenished a relative's card in this bank (in cash, from the depositor, that is, a case similar to mine). So he was asked for a passport and the data of the account holder was NOT indicated in the order. Hooray, I changed the system! :)
Yes, now you can ... It was the bank Vanguard. And he did grow up in my eyes.