Today, we received an invoice for one of our expenses. To send the payment, I logged into Bank of America’s website to use their ACH (Automated Clearing House) system. Once logged in, I was able to click on the ‘Transfers’ button. Up until this point, everything was fine and I was viewing my own account. However, after entering the transfer interface, I ran into a huge privacy issue that should have never occurred in an online banking session: I was looking at someone else’s name, bank accounts, balances, e-mail address and more.
I have attached screenshots (with some information redacted) and have also e-mailed the bank reporting the issue. I am definitely not WATSON, and these are not my bank account numbers or bank account balances. It’s possible* that had I gone through with this payment it would have come out of WATSON’s account and not mine.
Logging out and logging back in seemed to fix the issue and I haven’t been able to reproduce it since its first occurrence.
Here is the letter to which we have not yet received a response:
This is a serious privacy issue that needs to be addressed. If I can see someone else’s information, doesn’t that mean someone can see yours or mine?
* Some readers pointed out that it is possible but not clear and the text has been updated for this purpose.