DBS needs reputation damage control

Southeast Asia's biggest bank needs to relook at internal risk management framework, to reassure customers that incident will not repeat, industry observers note, after second security breach in as many months.
Written by Ellyne Phneah, Contributor

With DBS hit by a second card skimming incident in as many months, customers express distrust and disappointment with the bank. Industry watchers advise that the bank launch a full-scale review of their security setup and focus on reassuring customers that a repeat will not happen.

Edison Yu, industry manager of Asia-Pacific ICT Practice at Frost & Sullivan, noted that some damage control must be done to salvage DBS's reputation as a "safe haven" for people's deposits and savings, especially with two hacking incidents coming so soon after the bank had revamped their security set-up.

Yu was commenting on DBS being hit with a second round of unauthorized ATM withdrawals last night, which saw 17 customers lose S$23,000. This happened only slightly over a month after S$1 million had been stolen from the accounts of 700 DBS and POSB customers from ATMs in Malaysia.

According to Yu in an e-mail, the incident will cause customers to question the bank's effectiveness in resolving security issues which has emerged after the first hacking incident, along with the measures taken after its internal review.

"People will also start wondering if the first review exercise only succeeded in resolving symptomatic issues rather than curing the heart of the issues themselves," he added.

Slew of distrustful customers
Most customers expressed outrage and disappointment over the bank's security system.

Twitter user @fazlinferrer proclaimed that she did not trust the bank anymore and wanted to open an account at rival bank, OCBC. Student Ang Jin Yan also said, "They suck, nothing they do will regain my trust, whether it's freebies or a public apology."

DBS customer Ivy Teo also told ZDNet Asia that this has eroded the confidence she placed in the bank. "Even though my account is not affected, I'm still scared and am already thinking of changing to another bank," she said.

Another customer Kyle Lee also added because the two hacks happened within such a short frame of time, it is "evident they did not do enough to protect [his] money."

However some consumers expressed understanding or indifference over the double hack incident. Forum user Litmuss, for instance, acknowledged that it was a tedious process for DBS to deactivate those whom they suspect were at risk. "As long as they [are] willing to compensate quickly, I don't see why customers should be worried," the user wrote.

Another customer Serene Quek, an engineer also stated that she was "fine" as long as the incident did not happen again. She added that customers did not have to worry as long as the bank is able to promptly reimburse customers the full amount.

Relook back-end, protect public perception
While DBS had been quick to enforce changes to their security setup in the aftermath of the first hacking incidents, the resurfacing of a second incident is indicative of possible flaws and underlying security loopholes afflicting their internal security systems, Yu pointed out.

He advised that the bank should launch a full-scale review into the entire security setup used in banking operations and relook at the risk management framework of the organization.

The bank will also face challenges convincing customers that they can "cure the ailment" in the security set up, and not just getting rid of the symptoms, Yu added. Moving forward, they must take an active and serious stance on the seriousness of the matter, and ensure the next round of remedial action will not result in such incidents again.

His view was reinforced by Ruben Simpliciano, director of technology practice at Burson-Marsteller Singapore, who noted that the company needed to focus on action. "People are looking for assurances, not freebies," he said. "[They] must proactively communicate what measures are already in place and what steps they are going to take to prevent similar incidents in the future."

However, the bank must also not give a false sense of security, because the public must know that a company can never be completely immune from attacks, in an age where hackers have become increasingly sophisticated and more high-profile companies are breached, Simpliciano added.

Another public relations professional, Mayda Jutahkiti however, offered a different perspective. DBS had done a commendable job of mitigating the impact of the first incident previously, noted the general manager of The Hoffman Agency Singapore.

"They came across as being proactive, transparent and accountable and these are all the key ingredients in any crisis management," she said. "If DBS sticks to this approach, they should be able to keep their reputation intact."

DBS, on its Twitter account @dbsbank, reassured customers that measures were in place. "We've taken steps to replace affected cards. Read about our security measures here," it tweeted.

The bank declined to comment when approached by ZDNet Asia.

Editorial standards