A woman using a key code list to log in to an online bank on a laptop. S Bank, a Finnish supermarket bank with more than three million customers, said on Tuesday, 13 September, that an error in its online bank allowed a small group of customers to log in to the accounts of other customers over a nearly four-month period. (Anni Reenpää – Lehtikuva)


A SYSTEM ERROR at S Bank, the first so-called supermarket bank in Finland, enabled a few hundred customers to access the online banking services of other customers over a nearly four-month period earlier this year, between 20 April and 5 August.

S Bank on Tuesday reported that the error was exploited to commit wrongdoings, such as making unauthorised payments and accessing third-party online services, in a very small number of cases.

The error, it underscored, was linked to the malfunctioning of a single software component of the online bank, meaning it was not caused by external factors. It was rectified as soon as it was detected, on 5 August.

Carl-Edvard Holmberg, the director of digital services at S Bank, declined to comment on the value of the unauthorised payments when contacted by Helsingin Sanomat on Tuesday.

“We’ve submitted a report of an offence to the police. We unfortunately can’t comment on the sums externally,” he explained. “S Bank has 3.1 million customers, and S Bank’s online banking credentials are used to log in to various services 20 million times a month. That’s partly why it took so long to detect the error and identify the customer transactions relevant for the error.”

He reiterated that the error affected only a small share of the clientele, a few hundred customers.

“Only a small group of them logged in to the online banks of others and, out of those who did, only a very small group committed wrongdoings,” he stated.

S Bank has asked police to investigate how the events unfolded and whether the customers who exploited the system error may have committed offences.

The bank pledged to compensate all customers who incurred direct economic losses as a consequence of the system error, saying it will proactively contact all customers affected by the error in such a way.

Holmberg told Helsingin Sanomat that most of the compensations have already been paid to customers.

“We apologise for the situation to our customers. We’ll shoulder our responsibility and compensate for any possible direct damage. Customers themselves don’t need to do anything to receive the compensation,” he said. “We’ve been in contact with all customers affected by the situation. If we haven’t been in contact with a customer, the error didn’t affect them and the incident requires no action from them.”

The system error is the data security slip-up of the year, Petteri Järvinen, an author focusing on data security, stated to Helsingin Sanomat on Tuesday.

“This isn’t an ordinary slip-up, as it’s related to services of the knowledge society. We’re used to thinking of online banking credentials as the bedrock of authentication that always works and is always reliable. All other services are built on them, such as dealings with Kela and Omakanta – along with banks’ own money transfer services,” he said.

Problems in online banking credentials thus gnaw away at the very foundation of modern-day society. Citizens are in one way prisoners of the identification systems of the banks they use, according to Järvinen.

“Banks have a heightened responsibility for the reliability of identification because they’ve insisted on holding on to identification and each developing their own procedure for it,” he stated.

Aleksi Teivainen – HT