Information security|S-bank was not suspected in an extraordinary fraud case where a young person found a hole in the information security. Why did the bank avoid criminal liability?
S bank escaped from the courts in an exceptional case where a young person found a vulnerability in an online service and took full advantage of it.
According to the police, the young person warned S-bank about his discovery, but the bank did not react. The young man used the security hole himself, and as a result approximately 1.3 million euros were taken from customers.
HS reported on Tuesdaythat the case will now be considered for prosecution. The 16-year-old at the time of the incident and his then 23-year-old assistant are suspected of crimes, but S-bank is not accused of anything.
HS readers wondered how this is possible? For example, the former CEO of the psychotherapy center Vastaamo, which was the target of a data breach, was convicted of a data protection offence, although he has complained about it.
S-Bank did about it initially the investigation request to the police. The bank the role was clarified as cooperation with the authorities, says the crime commissioner Klaus Geiger From the police of Western Uusimaa.
The criminal investigation of the case is at the police department, but it did not have enough related expertise. Then the picture was completed by the Financial Supervisory Authority, the Central Criminal Police and the Data Protection Commissioner.
“We have listened closely and come to a conclusion. I understand the point why readers are puzzled. It has not been possible, at least at this stage, to find the name of the crime.”
The crime title is a means of identifying the suspected act. For example, the main two of the group are suspected of aggravated payment instrument fraud and aggravated money laundering.
The case is complicated by the fact that the background of the information security hole is complex information technology and subcontracting chains.
One The authorities most familiar with the case are probably the Financial Supervisory Authority (Fiva). It supervises whether financial and insurance operators comply with the law and instructions.
On Wednesday, Fiva did not take a position on the individual case, but According to HS’s previous information it is precisely S-bank that is to blame. However, Fiva does not read criminal law, but instead issues administrative sanctions, such as warnings and fines.
The police and Fiva operate “at the interface”, adds the head of the department Samu Kurri.
“We help the police in these matters, and we deliver the accumulated material to the police, for example inspection reports. Ultimately, the powers on the criminal justice side rest with the police, that is, there is no common meeting where someone hits the table with their fist.”
Kurri talks about it on a general level. It is therefore not publicly known whether Fiva’s information had an impact in one way or another on the bank’s release from criminal law.
“
“As a slogan, you could say that the supervised can outsource everything except responsibility.”
S-Bank announced that the vulnerability was caused by an error in the “system vendor’s software”. This refers to the subcontracting chain.
According to HS’s information, Fiva has considered S-bank’s preparation for exceptional circumstances to be insufficient. The bank outsourced its IT services to companies, which in turn have outsourced them further – even abroad.
Fiva has noted that this kind of activity is becoming more common. However, blaming the server hall rented from netizens for faults does not absolve the bank of responsibility.
“The responsibility belongs to the supervised entity, such as a bank, for example. As a slogan, you could say that the person being supervised can outsource everything except responsibility,” says Kurri.
Do the banks understand where the different paths lead and who is responsible for them?
“It’s a legitimate question and supervisory concern.”
Kurri insists that banks should have information security experts who know how to flag threats as high up in decision-making as is required. Next year EU regulation tightening control increase the leverage of the authorities.
“For the first time, the largest subcontractors end up under direct supervision of the financial sector.”
HS presented S-bank on Tuesday by phone regarding the matter, additional questions about how the first observation of the fault was reacted. S-bank’s general counsel Jussi Sokka replied by email:
“After receiving the notification, we started the investigations immediately. Unfortunately, with the information we had at the time, it was impossible to identify the vulnerability.”
HS asked for confirmation on Wednesday again, was the suspect 16 years old who made this report? The bank says that it does not identify the person making the notification. However, it confirmed that “the phrase refers to the first contact identified as being related to the case”.
of HS The previous report of the Financial Supervisory Authority, seen by the Financial Supervisory Authority, reveals that the IT expert who recorded the notification “couldn’t immediately find out, based on the information received from the customer, what the issue was and left the investigation unfinished.”
Fiva considered it a “clear error”.
#Information #security #Sbank #warnings #online #bank #suspected #crime