Egg admits another personal data blunder

Tormented online bank Egg has admitted that until a fortnight ago it was standard practice to send out customers credit-card numbers and other personal data in unencrypted emails

The revelation comes a day after it was discovered that an Egg customer's bank account was illegally accessed by another Egg user.

Two weeks ago Egg admitted it had sent a customer an unencrypted email containing credit card details but described it as "an isolated incident". A week later the bank confessed that this had in fact happened on a number of occasions but promised that it was "only a few cases."

Now the bank says its actions were "not a mistake" but a practice senior management was fully aware of. An Egg spokeswoman told ZDNet UK News Wednesday, "It was not a mistake. We only stopped the practice because it was alarming customers but we have to stress that at no time were they at financial risk. We didn't feel that it was a security problem."

One online security expert, Richard Stagg of Information Risk Management, described Egg's admission in no uncertain terms. He says, "It not very clever. In fact it's very, very unclever. Even a script kiddie could put a sniffer outside a firewall to pick up all email traffic. It's very, very unsafe."

Stagg also says that, taking into account Egg's glossy advertising and bold claims about security it should answer for this. "There absolutely should be some sort of responsibility. If you make a big thing about Internet security then there should be a good policy on email."

Stagg makes another revelation about Egg saying, "I was actually put off Egg ages ago when I saw an add in a brochure saying, 'Egg beleives in security, it uses Firewall one. If you believe in security you don't advertise what firewall it uses."

But according to a spokesman from the Association for Payment of Credit Services (APCS) banks are under no obligation to secure credit card numbers or personal details. The spokesman said: "They [Egg] are obviously taking a risk, but they must have assessed that risk and decided that it's minimal."

Egg said that despite its recent security record, its public image would not suffer: "I don't think customer confidence has been damaged. A proportion of customers may have had their confidence dented in some way. We're not saying that we're perfect and on a huge learning curve so obviously there are going to be a few hiccups."

Jake Wakefield contributed to this story

What mesures do you think banks should take to protect customer's personal information?

Make yourself heard in the Mail Room