Starling Bank will review how it stores some sensitive data in the aftermath of a complaint by a customer that his passport details were shared with him on a URL.
The British mobile-only bank, which was founded in 2014, claimed that there had not been a data breach, despite the customer complaining that the bank ‘does not take security seriously’.
In response, Starling revealed that the internet link, which was sent to the customer via email and contained an image of his passport photo, was tokenised, meaning that outsiders would have been unable to access or guess it unless it was shared with them.
A spokesman said that use of the links was ‘extremely rare “and that it had only happened in a handful of cases, but revealed that the bank was ‘reviewing our use of the private link feature and related internal procedures”.
Starling also said that it would be “adding extra security measures to the way customers share documents with us by email’, and that the passport image was removed at the customer’s request.”
Cybersecurity expert Troy Hunt commented, “The situation isn’t ideal as the link alone would disclose personal information without further authentication. It should be rectified, but by the same token the workable attacks against the practice are limited. As far as I know you can’t, for example, simply guess the URL and pull back someone else’s passport data”.