Bank of Scotland’s irresponsible human error- time to revisit old business processes?

By Dr. Guy Bunker. 

Following on from our recent Knowledge is Power post on the responsibilities of companies in the financial sector to adhere to data protection regulations, as well as instil an ethos of cyber security-conscientiousness to reduce the risk of internal security threats, my attention was drawn to the recent fines imposed on the Bank of Scotland by the ICO. The Bank of Scotland was found to have committed a series of communications errors that led to customers’ personal details being sent to the wrong recipients. Over four years, the bank had repeatedly sent faxes containing confidential information such as payslips, bank statements, bank account details, photocopies of IDs, pension plan details and mortgage applications to the wrong numbers. Not only did this lead naturally to some very bad PR, but also a fine to the cost of £75,000. People’s financial details are as precious as their physical assets and it could arguably be said that this error was akin to handing out copies of its customers’ house keys.

Most importantly, this all occurred due to human error, a simple “misdialling of fax numbers”. In response to the fine, a Lloyds Banking Group spokesperson said: "The security of our customers' data is always our key priority. We apologise that, due to human error, a very small number of documents relating to 32 customers were unfortunately misdirected.” As we’ve emphasised before in our Enemy Within report internal threat is a company’s biggest threat. In this case, one question which springs to mind is FAXes… really… isn’t it time to revisit some of the business processes and see if they can be improved? Most organizations are the same as this one, there is a process or many processes which have been the same for years – it seems to work, so why fix it? The answer is, of course, that the world has changed. Mis-sent FAXes are never a good thing, but go back a few years and it wouldn’t have been a headline story, let alone incurred a fine. Times they are a changin’…

While no-one has the time to constantly visit and re-visit business processes, it isn’t a bad thing to ask staff about what they do and ask for suggestions as to how the process can be improved, especially if there is critical information involved, such as credit card or bank details or PII. In this case, could email have been a better way to transfer the information rather than a FAX? That way, not only would the information get to the right location, but also to the right individual. Who knows who picks up the FAX? If this communication had been done with email, then technology could have been used to ensure that the recipient was supposed to be receiving the information – and if not block it before it left the organization. Furthermore, new technology, such as adaptive redaction, could have been applied to make the transfer even more secure by ensuring that only the minimum data needed was shared, all the rest could have been automatically removed.

It goes without saying that the less manual input needed from staff, including the typing of FAX numbers, the less risk there is of human error causing security breaches. With data breaches, it's not a question of ‘if’ but in many cases ‘when’. Revisiting old business processes in a proactive manner will save potential embarrassment, and will probably result in improved efficiencies as well.