PL&B UK E-news, Issue 33

1. Cahoot security flaw exposes customer accounts

Online bank Cahoot was forced to shut down its website for 10 hours yesterday after being alerted to a security flaw enabling Internet users to gain unauthorised access to customer accounts. An investigation by the BBC revealed that the bank’s password controls could be easily bypassed simply by typing in a customer’s user ID.

Infosecurity expert, Neil Barratt, told the BBC, “I’m shocked that it was so easy”, stressing that most online security breaches are more complex. One Cahoot customer described the breach as “disgraceful”, adding that she would close her account down.

Tim Sawyer, head of Cahoot bank, a subsidiary of the Abbey National Group, said the flaw occurred as a result of an upgrade to the website 12 days ago. He apologised to customers but attempted to reassure customers by stating that anyone hacking into the Cahoot site would not have been able to transfer funds out of the accounts. Sawyer stressed that the bank does carry out security testing on its systems, including penetration testing and the use of ‘ethical hackers’ to search for gaps in security. Nonetheless, he added that the incident had “not been our greatest moment” and pledged to conduct a review of security procedures.

2. UK government opposed Data Protection Act amendments

According to, the government is against suggestions that employees should be given greater rights to access to their personnel records. Following a ruling by the Court of Appeal last year (in the Durant v Financial Service Authority case), workers’ rights to access paper-based personnel files has been heavily restricted. In response to a Parliamentary question about extending the right of access to unstructured manual files, the Secretary of State for Work and Pensions, Alan Johnson, said, “We have no plans to extend the application of the 1998 [Data Protection] Act to unstructured manual personnel records.”

3. ICO appoint Chief Operating Officer

The Information Commissioner has appointed Simon Entwisle to the newly created post of Chief Operating Officer. The role will involve responsibility for operational effectiveness and efficiency across the Information Commissioner’s Office (ICO), including key areas such as data protection case work, regulatory enforcement, the Data Protection Helpline and the notification department. Commenting on the appointment, Richard Thomas, Information Commissioner, said, “This appointment further strengthens my office’s commitment to provide proficient data protection advice and enforce the [Data Protection Act] DPA where necessary.”

4. SMEs recognise business benefits of DP compliance

73 per cent of small-to-medium-sized companies (SMEs) understand the impact data protection has on their business operations, says a new study published by the Information Commissioner’s Office this week. The study, carried out by the University of Lincoln, found that 99 per cent of SMEs had heard of the Data Protection Act, with around 75 per cent stating that legal compliance was easy. Over 90 per cent of respondents agreed that privacy and confidentiality are important to their clients and business operations.

For further details on the Privacy Laws & Business UK Newsletter, please click here.

Copyright Privacy Laws & Business 2004