Weekly podcast: TSB, hotel locks and NATO exercise

This week, we discuss TSB’s chaotic system upgrade, a security flaw in electronic hotel locks and a major NATO cyber security exercise.

Hello and welcome to the IT Governance podcast for Friday, 27 April 2018. Here are this week’s stories.

TSB’s chief executive Paul Pester has said the bank is on its knees after a botched system upgrade caused chaos this week, leaving around half of its customers unable to access their accounts – although some were able to access other people’s. Others reported seeing wrong balances, unexplained transactions and payments erroneously made multiple times.

Many branches report staff morale to be at an all-time low thanks to the crisis, with one telling the BBC that branch staff were “physically and emotionally exhausted” because nothing was working.

“In my branch,” he said, “every member of staff has been in tears and all [say] this has been the worst working experience of their lives. It is heartbreaking for me as a manager seeing my amazing team break down one by one.”

The problems started last weekend, when Lloyds transferred its customer data from the IT system of its former owners, Lloyds, to its new owners, Sabadell.

However, the chaos that ensued prompted the chair of the Treasury Select Committee, Nicky Morgan, to write to Mr Pester, saying: “Potentially millions of customers could be affected by uncertainty and disruption. It simply isn’t good enough to expose customers to IT failures, including delays in paying bills and an inability to access their own money.”

Asked by the BBC whether he would resign, Mr Pester said: “I haven’t even had time to think about it.”

Sabadell at least was pleased with how the migration went. The bank’s chairman, Josep Oliu, said:

“With this operation, Sabadell demonstrates its capacity of technological management not only in national but also international integrations. The new Proteo4UK platform is an excellent starting point for organic business growth and improved TSB efficiency.”

Security researchers have discovered that millions of electronic door locks used in hotel rooms around the world are vulnerable to hacking. According to F-Secure, flaws in the equipment’s software – Vision by VingCard – mean it’s possible to create master keys that open doors without leaving any record.

A spokesperson for the Swedish lock manufacturer, Assa Abloy, said:

“Vision Software is a 20-year-old product, which has been compromised after 12 years and thousands of hours of intensive work by two employees at F-Secure.

“These old locks represent only a small fraction [of the those in use] and are being rapidly replaced with new technology.

“Digital devices and software of all kinds are vulnerable to hacking. However, it would take a big team of skilled specialists years to try to repeat this.”

Assa Abloy’s locks are used in high-profile hotel chains around the world, including Intercontinental, Radisson, Hyatt, Sheraton and Waldorf Astoria.

F-Secure has worked with Assa Abloy for a year to implement software fixes. Updates have been made available to all affected properties.

NATO has announced that it has launched “the largest and most advanced international live-fire cyber defence exercise” this week to “practise protection of national IT systems and critical infrastructure under the intense pressure of a severe cyber attack”.

NATO’s Cooperative Cyber Defence Centre of Excellence (CCDCOE)’s Locked Shields 2018 sees the fictional country of Berylia experience “a deteriorating security situation, where a number of hostile events coincide with coordinated cyber attacks against a major civilian internet service provider and military airbase. The attacks cause severe disruptions in the operation of the electric power grid, 4G public safety networks, drone operation and other critical infrastructure components”.

Participating nations can practise “the entire chain of command in the event of a severe cyber incident, from strategic to operational level and involving both civilian and military capabilities”.

According to CCDCOE, the exercise is running from 23 to 27 April.

Well, that’ll do for this week. Until next time you can keep up with the latest information security news on our blog.

Whatever your information security needs – whether regulatory compliance, stakeholder reassurance or just greater business efficiency – IT Governance can help your organisation to protect, comply and thrive. Visit our website for more information: itgovernance.co.uk.