ORX News digests of the month: Q3 2019

Every month the ORX News team publishes a featured digest from the ORX News service. It's a detailed look at one of the operational risk losses reported in the media that month, and is handpicked by the team as one of the most interesting stories.

Read on for all the featured summaries from Q3 2019.

September: ING Bank to pay customers compensation over QR code fraud via mobile banking accounts

ING Bank said it would compensate retail customers in the Netherlands after fraudsters exploited a QR code function in the bank’s mobile app to steal funds. They did this by using a customer’s account number to generate a QR code and link a second device to the customer’s mobile banking account.

The fraudsters obtained customers’ account numbers under the pretence of paying for goods posted for sale by the victims on online marketplaces. Using the account numbers, the fraudsters generated QR codes using ING’s app to represent that the customers had installed the app on a second device. The fraudsters then sent the QR codes to customers, claiming that scanning the code would confirm payment. In fact, by scanning the QR codes, customers unknowingly activated ING’s mobile banking app on the fraudsters’ devices, giving them access to their accounts. The perpetrators defrauded some ING customers of thousands of euros in this way.

ING initially said that it would not compensate customers as they were responsible for the linking of third-party devices to their own accounts. However, in September the bank said it would provide a “considerable amount” of compensation as a goodwill gesture.

A report by consumer television programme Kassa said that ING’s QR code system was vulnerable, as compared to other banks’ systems it required fewer steps to link a device. The bank said it would implement additional measures to increase its customers’ security.

ORX News subscribers can read the full story on the ORX News website.

August: DSK Bank fined BGN 1 million after third parties access over 33,000 customers’ data

On 28 August, the Bulgarian Commission for Personal Data Protection (CPDP) announced that it had fined DSK Bank BGN 1 million ($567,000) for failing to adequately protect customer information, resulting in unnamed third parties gaining access to over 33,000 customers’ data.

The data was taken from over 23,000 loan files, which also contained the personal information of customers’ related parties, such as relatives, vendors and loan guarantors. It comprised names, personal identification numbers, addresses, scanned copies of ID cards that contained certain biometric data, full tax and income information, bank account numbers and information about property deeds.

DSK Bank had failed to implement appropriate technical and organisational measures and ensure the confidentiality, integrity, availability and sustainability of its personal data administration systems. The CPDP gave no further details about when or how the data breach occurred but the bank said that it had not been the victim of a cyberattack.

ORX News subscribers can read the full story on the ORX News website.

July: Capital One expects to pay USD 150 million after hacker steals information of 106 million individuals

On 29 July 2019, Capital One announced that an external party had gained unauthorised access to the personal information of 106 million credit card applicants and customers by exploiting a configuration vulnerability in its infrastructure. On the same day, the US Department of Justice (DoJ) announced that the Federal Bureau of Investigation (FBI) had arrested the individual responsible for the hack. Capital One said that it expected the cost of the incident to be up to $150 million. It was reported that the data had been held on servers operated by Amazon Web Services (AWS).

ORX News subscribers can read the full story on the ORX News website.