back to article TSB meltdown latest: Facepalming reaches critical mass as Brits get strangers' bank letters

TSB customers have reported receiving letters from the British bank containing other people's details in the embattled firm's latest cock-up. The bank went into meltdown at the end of April when a long-planned migration off its former parent Lloyds Banking Group's infrastructure went badly wrong. Customers were unable to …

  1. Aladdin Sane
    Trollface

    Hi kids

    Today we're going to learn to spell GDPR.

    1. Anonymous Coward
      Anonymous Coward

      Re: Hi kids

      Tomorrows lesson is percentages and we're going to start at 4%

      1. Anonymous Coward
        Anonymous Coward

        Re: Hi kids

        Tomorrows lesson is percentages and we're going to start at 4%

        I wish, you wish. But the limpwrists at the ICO have already said that they're going to go softly softly on enforcement this year, preferring education and improvement. Because those poor, poor businesses have only had two years to prepare themselves. Oh, and another four years since the original GDPR proposal was released.

        This is only fair for the destitute and beleaguered financial services sector. Lets face it, if you only had six years to prepare for something (eg a new speed limit), you'd be deserving of special leniency for a year or more after it came into force?

        1. Mark 85

          Re: Hi kids

          I wish, you wish. But the limpwrists at the ICO have already said that they're going to go softly softly on enforcement this year, preferring education and improvement.

          I wonder if ICANN will try to say they are a bank...

        2. TheVogon

          Re: Hi kids

          " But the limpwrists at the ICO have already said that they're going to go softly softly on enforcement this year, preferring education and improvement."

          I think you will find that blatant incompetence with widespread impact will still result in a large fine. The softly softly is for stuff that's new under GDPR and that might not have been clearly understood or implemented in time.

        3. phuzz Silver badge

          Re: Hi kids

          Given that the screwed all of this up before the 25th, does GDPR apply at all?

      2. Anonymous Coward
        Anonymous Coward

        Re: Hi kids

        Interestingly difficult to find up-to-date turnover ("revenue") figures for TSB. Wikipedia's latest numbers are dated 2014. The 2017 annual report rewports "income" of £1,096.1

        ( https://www.tsb.co.uk/investors/results-reports/ ) ... so a £40m fine, which will lose a few people their bonuses but shouldn't be that big of a deal for any properly capitalised bank. The ICO fine isn't where they're going to feel the pain; it's the FCA and PRA. I've been a tangential witness to the consequences of the FCA's more, er, focused officers getting very interested in an organisation after a spot of operational bother. It was serious brown-trousers (and skirts) time in the C-suite. Folk knowledge and urban myth notwithstanding, people DO lose their jobs, they DO get disbarred from practice, and in some cases they do get personally prosecuted. Not, perhaps, as often as should be - and they could certainly do with a honking great budget and headcount increase, as could other UK regulators - but in screwups this public, where every MP has affected consitituents, and sees an easy, popular target in front of them; and for every ambitious young FCA / PRA whiplasher, this is going to be fish in a barrel time.

        I am open to the possibility of having my head up my naive old arse, but let's see how it goes.

      3. LucreLout

        Re: Hi kids

        Tomorrows lesson is percentages and we're going to start at 4%

        I've been wondering about that. I mean, lets assume the ICO actually grow a pair and start using their powers.... Surely this is an incentive to restructure every pan-European company into seperate entities? TSB is UK only, so fines would be capped at 4%. Someone like, say Farcebook, is pan-European, so could be fined 4% in each legal jurisdiction, which adds up to rather a lot more.

        Obviously, that'd only be relevant, as I said, if the ICO actually started to do their jobs instead of simply existing to protect corporate law breakers from robust legal action.

    2. leexgx

      Sms Should not be used for 2fa purposes

      It should be code generator ( Authenticator app) or the banking app it self

  2. Anonymous Coward
    Anonymous Coward

    Well on the plus side for them - its a bank, so no one will be held to account.

  3. Richard Jones 1
    WTF?

    Guiness Book Of World's Records

    Who is trying to scoop the pool for the most disasters in one gloriously screwed up project?

    It must be time to hit both the stop and re-set buttons and try to do something else.

    1. DJV Silver badge

      Re: Guiness Book Of World's Records

      Yes, I hear they are going into the brewery business and are going to attempt to organise a piss-up...

    2. phuzz Silver badge

      Re: Guiness Book Of World's Records

      At least if they'd managed to delete every customer file, they wouldn't have to worry about data protection.

      Don't need to protect the data if you've deleted it all ;)

  4. DJV Silver badge
    Facepalm

    TSB

    A Totally Stuffed Bank whose managers appear to be Tiptoeing Silently Backwards, the Terminally Stupid WBankers!

  5. anthonyhegedus Silver badge

    Not fit for (any) purpose

    The buck stops with the CEO and other directors. They should be made personally liable for this mess, and reimbursing every customer. This is now becoming an absurd comedy of errors. The directors need to be punished. They're not running a cinema, or a supermarket, or an email service. This is a bank, and certain standards need to be adhered to. It is absolutely clear that the management of this organisation don't give a shit about their service.

    1. Chronos

      Re: Not fit for (any) purpose

      Oh, they have standards. They're not very high, but they've got them.

      They weren't all that clueful back before Lloyds gobbled them up, when they started calling themselves the TSB Bank. So that'll be the Trustee Savings Bank Bank, then?

      Resurrected, it seems it's [monkey] business as usual for TSB.

    2. Tom Paine
      Mushroom

      Re: Not fit for (any) purpose

      The buck stops with the CEO and other directors. They should be made personally liable for this mess, [..]

      What, like this?

      https://www.bankofengland.co.uk/prudential-regulation/key-initiatives/strengthening-accountability

      and reimbursing every customer.

      If you had the slightest idea what you were talking about, you wouldn't say something so silly. :)

  6. Anonymous Coward
    Anonymous Coward

    This may explain why I haven't yet received a letter about my complaint to TSB (which related to a comparatively minor issue of being unable to get online statements).

    Surely they can't come back from this?

  7. the hawk

    This story brought me so much joy and happiness. It’s just too perfect!

    Needless to say I’m not a customer.

  8. Dan 55 Silver badge

    Why do they still have customers?

    There's data clusterfuck that's still not over, not even a month and a half later.

    Scamming still carrying on, possibly due to crappy website security.

    Seems like the bank hasn't rolled out extra customer support channels.

    The only thing that's going to happen if this is allowed to continue is other banks won't bother either.

    1. Richard 12 Silver badge

      Re: Why do they still have customers?

      Because TSB are in such a meltdown that leaving takes weeks.

      And in some cases kills the customer - several suppliers with Direct Debits with people who've closed their TSB accounts have been sent letters saying the account holder had died.

      That mess is also quite hard to resolve.

      1. Anonymous Coward
        Anonymous Coward

        Re: Why do they still have customers?

        If you leave now you'll miss out on all the compensation.

        1. Dan 55 Silver badge

          Re: Why do they still have customers?

          Keep a quid in the account.

  9. adnim

    sql

    I was going to say perhaps a schema has changed and the joins don't reference the right columns any more.

    Then I thought, Nah I don't have a clue. A professional team could not make that kind of mistake.

    Then I thought have they employed a professional team?

    I don't know what my colleagues think of my work practices when I spend most of my time looking out of the window. I call it planning.

    1. Anonymous Coward
      Anonymous Coward

      Re: sql

      “I thought they employed a professional team”

      You must have missed the memo. They employed IBM.

  10. Oh Homer
    Mushroom

    Re: "Terminally Stupid Bankers"

    Taking Security Backwards with a Technical Screwup Blitzkrieg.

    Soon to be a Totally Suspended Bank, hopefully.

  11. d3vy

    I've only just got access to my business accounts today!

    Seven weeks. A day's worth of sitting on hold and a full day in branch to get this resolved.

    I'm going back tomorrow to get compensation sorted.

    1. Boris the Cockroach Silver badge

      In your situation I would be going back tommorrow to close the accounts....

      <<<waiting for the banks he has money in to go TITSUP

      1. d3vy

        Well I've been with them since the 90's and this is only the second time I've had to make a complaint so I'm not going to have a knee jerk reaction and close the accounts (an action that would require some effort on my part) and move to a bank that might be worse.

  12. Anonymous Coward
    Anonymous Coward

    ... and Crapita

    Just received a letter from Crapita to somebody who has never, ever, lived here.

    Better half used to work for Crapita.

    Crapita (Hartshead subsidiary) were anxious to explain how GDPR might affect this person and how they used personal data in relation to the pension fund.

    Perhaps they out-sourced the out-source to the same people?

    1. Tom Paine

      Re: ... and Crapita

      In a way, I'm almost disappointed TSB made such a thorough job of spraying themselves in ketchup and BBQ sauce and jumping up and down in front of the metaphorical ICO dragon shouting "Me! Me! I taste delicious!! Come on, then you tosser, come and have a go if you think you're flamey enough!!" Not to worry.... there's a long tail of other fun test cases and precedents to litigate, no doubt it'll still be getting fought out well in to the 2020s. If anyone can afford lawyers after Brexit.

    2. David Knapman

      Re: ... and Crapita

      Sorry, are you admitting to opening post not addressed to you? You know you're not meant to do that, right?

      Blot out the address (not technically required but sometimes the helpful posties will attempt to redeliver if the address is still visible), scrawl "not know at this address" on the envelope, stick it back in a post box.

      1. david bates

        Re: ... and Crapita

        Nat West tried this line with me when I opened letters for the last owners of my house. I opened the letters because I did not want the bailifs turning up on my doorstep trying to recover their debts.

        As I'd already informed NatWest that the people they wanted did not live at my house I managed to wring an admin fee out of them.

      2. Steven 1

        Re: ... and Crapita

        If I'm getting letters delivered to my address but to people I've never heard of your damn right I'm opening them.

        When the oh so charming bailiffs turn up trying to enforce a writ I want some advance warning.

        Been there done that.

        In my experience they’re not that bothered about mistaken identity either, my girlfriend (now wife) had two goons turn up to try and collect on a debt for a woman with a different first name, birthday and address to her (woman at one stage lived about 20 doors away) from an organisation she had no links with whatsoever.

        I would add these two were at the more budget end of the debt collection spectrum rather than the more pucker one’s you might’ve seen on TV.

  13. MdeB

    My guess is that it is a physical device problem: letter folder taking two sheets at a time instead of one.

    1. Aitor 1

      weight

      That is why you should measure the weight of the letters.

  14. Grikath

    "It's a bank in absolute meltdown – they've totally lost all grip of how to respond to customers."

    That right there is the biggest mistake.. Since when did banks care one whit about their customers?

  15. Tromos

    Has anybody tried...

    ...switching the bank off, then switching it on again?

    1. DavCrav

      Re: Has anybody tried...

      "Has anybody tried switching the bank off, then switching it on again?"

      They switched it off at least.

  16. Rustbucket

    Enough blame to go around.

    In the case of the SIM fraud, they should be suing the network provider as well as the bank.

    1. JerseyDaveC

      Re: Enough blame to go around.

      Correct. SIM swap fraud is far from a new thing, and if a phone company doesn't authenticate its customers correctly then it's a very easy thing to do.

  17. Anonymous Coward
    Anonymous Coward

    Ha, admittedly it is fun until someone looses an eye

    Do not think for one second that any of the other banks are more competent, they just have more experience at hiding their cockups.

    Given that Banking is the last major industry in the UK and with the sale of the last of the country's gold by G Brown resulting in GBP being is based soley upon GDP then you would imagine that something would be done about having a GDP once banking falls over for good.

    Perhaps if we all leave the UK, become EU citizens after BREXIT and then come back as immigrants then we can finally have an intelligent say in how the country is run.

  18. Anonymous Coward
    Anonymous Coward

    Typical Spanish Bank?

    Ola adiós

  19. solv

    SMS is not a secure method of delivery for 2 Factor authentication....most people in IT have known this for at least 3 years now - SIM swapping is just too easy.

    How in holy hell a bank is allowed to continue to use this method is beyond me...

    It's really not that hard to implement either Google authenticator or something like symantec VIP

    1. Dan 55 Silver badge

      Or a card reader where you show you have the card and know the PIN but don't input it on either a computer or a mobile app.

    2. Cpt Blue Bear

      "....most people in IT have known this for at least 3 years now"

      Three years?! If they are in their early 20s maybe but the rest of us knew this after thinking about the process for about 30 seconds.

  20. Anonymous Coward
    Anonymous Coward

    TSB

    Treating

    Scammers

    Better

  21. Phage

    Interestingly, one of the things mentioned is getting much more common. It is incredibly easy to have your phone hijacked. PAC codes are almost completely insecure. Happened to me.

  22. HmmmYes

    How close are the BoE to pulling the plug?

  23. sanmigueelbeer

    I'm going back tomorrow to get compensation sorted.

    I think "the best offer" you'll get is a free lifetime coffee/tea or £100 (whichever is lower).

    But the limpwrists at the ICO have already said that they're going to go softly softly on enforcement this year, preferring education and improvement.

    The Australian Competition and Consumer Commission is mandated to be champion for consumer law. The recent Australian Royal Commission on the banks have lifted a lid about how the ACCC works. One of the things mentioned is that the ACCC is (mostly) staffed by bank employees in secondment to the ACCC. These people help the Australian banks getting away with some of the dodgiest banking practice we've ever seen. This is also one of the biggest reasons why the ACCC is reluctant to go after the big four banks in Australia and instead, it goes after the small banks & business (like a bully).

    Since Australian systems are basically a copy of the British system, maybe they have the same sort of practice (hence the "softly, softly" approach)?

    1. Nick Stallman

      Error the ACCC has no jurisdiction over financial services.

      Or do you mean ASIC who handles that entire industry?

  24. RobinCM

    Perhaps

    If TSB hadn't been forcibly split off from Lloyds then this wouldn't be an issue.

    Any large scale data migration is going to have problems. These problems are exacerbated due to money being involved. Hands up if you've done a data migration of this scale and had zero issues?

    I feel rather sorry for TSB in some respects. Forced into existence, they hire a supposedly expert firm to manage their systems and data migration only to have it blow up in their face. So they're paying through the nose for IBM, and now they're having to deal with frauds, fines and legal nonsense too. And try and provide some kind of valuable service to customers.

    1. Androgynous Cupboard Silver badge

      Re: Perhaps

      If Lloyds is going to borrow 20bn of the taxpayer, the fact this loan came with conditions like "trim your bloated ass by selling off TSB" shouldn't be a major surprise. The fact they then attempted to hit a migration deadline that was clearly unattainable is no-ones fault but their own.

      FWIW I've been using Bank Of Scotland for my business banking for quite a few years now - they too were gobbled by Lloyds, and while it hasn't quite gone to shit as much as it has for TSB, they've since dropped the ball enough times for me to put "move banks" on my to-do list. Whole group is rotten to the core.

    2. Dan 55 Silver badge

      Re: Perhaps

      If TSB hadn't been forcibly split off from Lloyds then this wouldn't be an issue.

      You can't have Lloyds, TSB, Halifax, and Bank of Scotland all belonging to the same group and claim there's a functioning competitive retail banking market where choice is offered.

  25. julian_n

    Sadabell

    Apparently, not only are Sadabell in a mess over this - they are also most exposed to Italian and Spanish Government debt which might just be a bit riskier following new governments in those two countries.

    You have to admit - they are consistent!

  26. teebie

    "We are working with our third-party supplier to understand the root cause of the error and we'd like to apologise to anyone that may be impacted."

    Your third-party supplier whose actions you are responsible for?

    1. Hans 1
      Unhappy

      Your third-party supplier whose actions you are responsible for?

      Worse, still, TSB, I do hope you got approval from your customers for the sharing of personal data with those third parties, obviously inline with GDPR, right ?

      I seriously cannot see how they can get out of this mess, I know they have to somehow (they are a bank), but Feynman ...

      Icon: feel sorry for customers

      1. Dan 55 Silver badge

        I expect they need to be able to share data with their printers to be able to send the statements.

        And their printers are only printing what TSB tell them to, which brings them back to messed-up back office data or a process which gets confused as it doesn't scale to a bank like TSB's size.

      2. LucreLout

        I seriously cannot see how they can get out of this mess, I know they have to somehow (they are a bank)

        Ok, up front, I work for a bank - I've never made any secret of that.

        I question the whole idea of TSB surviving. Surely it has reached the point where they are going to be overwhelmed with compensation cases, fines, and customers fleeing just as soon as allowable, and with such reputational damage, that survival becomes uneconomic?

        Would it not be simpler to shutter the lot, and novate customer credit balances to other providers? I realise that means they have to figure out how to associate an account with a person correctly, but if you scrape away their web tiers etc and only looked at the core mainframe (it will be) data, you could do this quite quickly.

        Banks should have been allowed to fail. Quite why labour ever bailed them out is a mystery to most of the industry - yes contagion had to be stopped, but crippling lloyds with the rotting remnants of RBS didn't really achieve that.

        Let TSB go - its already dead it just hasn't realised yet.

  27. Steven 1

    Voting with your feet

    Already had enough, it's been one cock up after another so I've pulled the plug on them and moved.

    Historically I was a Lloyds customer who never asked to be bumped over to TSB, they just decided my branch was going and that was that.

    Did it old school as I assumed any migration process was as likely to cock up as anything else they've done recently.

    If enough people whip their money out from them I can see that causing them a few problems as well, not sure what their liquidity ratio is but might be interesting to keep an eye on it.

  28. Anonymous Coward
    Anonymous Coward

    I think TSB are in serious s**t.

    I recently provided a written statement along with evidence(screenshots) to another customer's lawyer about having access to their account statements through my wife's TSB online account during the problems. Their lawyer thinks this is a spectacular failure from TSB and is quite rightly excited by the pending litigation. I on the other hand only see one winner in this and it won't be the victim, TSB or any TSB customer for that matter.

  29. Ralph76

    Don't mention the war..

    It is just a good job the entire world and his dog have not been spamming all 7 Billion humans on the planet with email, adverts, videos, wall posters, billboards and the rest, with news of impending GDPR guidelines.

    I mean, if THAT had been the case, TSB would have no excuse whatsoever for such a shocking data leakage.

    Luckily, it was only mentioned the once and I think they got away with it...

  30. RedCardinal

    And....what exactly is the ICO doing about this flagrant breach of the Data Protection Regulations?

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon