Anneli tried to tell S-Bank about the misuse of her account to no avail

Anneli believes he was a victim of S-bank’s data breach.

Annel’s name has been changed in this story to protect her privacy.

For several months, there were problems with S-bank’s online banking credentials, which enabled another customer to log in to the online bank.

Problems occurred between the end of April and the beginning of August.

According to S-bank, the disturbance enabled a few hundred customers to access other customers’ online banks. However, not all of them encountered an error and thus logged into the wrong person’s bank.

According to S-bank, the system malfunction was also used for abuses, such as unauthorized payments and logging into third-party online services.

The police are investigating the case.

The card was closed

Annel has had S-bank’s credit card. He has been a customer of the bank for a long time.

In May, Annel did not need to use S-bank’s credit card, as she only had the card on hand in case larger purchases needed to be made. He had a credit limit of 2,500 euros on the card.

At the beginning of June, however, he received a message from the bank telling him that his card had been closed due to unspecified withdrawals.

Anneli became worried about the situation and logged into online banking to see and find out what had happened.

He noticed that the card’s new credit limit was 8,000 euros. In addition, large individual withdrawals had been made from the account and card.

The high credit limit came as a complete surprise to Anneli, as she had never signed or approved a credit limit increase, let alone done one.

Big withdrawals

Large withdrawals had been made from Annel’s account and card. The account statement revealed that the largest transfer from credit to account was 3,000 euros. Several withdrawals and transfers of thousands of euros had been made.

When Anneli noticed the situation, she immediately contacted the bank, from which she received a breakdown of the account transactions for the previous three months.

Iltalehti has reviewed the account transactions.

The card and its credit feature had hardly been used before the end of May. During three days, 89 bank transfers had been made from Annel’s account, which she herself does not recognize.

During one day, 2,500 euros were first transferred from his credit to the checking account, and later on the same day another 3,000 euros.

All unidentified account transactions were scheduled for a few days at the end of May.

Companies and individuals unknown to Annel had made the withdrawals.

Anneli had never heard of the persons or companies in question.

The total receivables on S-bank’s credit card rose to more than 8,200 euros. In addition, interest and collection costs are added to the amount.

The bank’s reaction

When the matter came to light, Anneli made a complaint to the bank. He explained the situation and said that he had not made any withdrawals during the days in question and had never heard of the companies in question. According to Annel, the bank treated the situation lightly.

Iltalehti has seen correspondence between Annel and the bank.

After the first contact, the bank sent a message apologizing for the situation.

– We understand that the situation is unfortunate. Unfortunately, however, we cannot refund the transactions, they remain your responsibility, S-bank’s message states.

Anneli filed a criminal complaint.

Anneli contacted S-bank by phone and tried to clarify the situation with the bank. It was explained to him that the transfers had been made from a Samsung phone on a certain day. Anneli tried to find out that she doesn’t have the phone in question or any other smartphone.

However, S-bank asked for an additional explanation of the situation, to which Anneli submitted all possible documents and explanations, which she could barely come up with. He explained that he doesn’t have the phone in question and he hasn’t shown, lost or given anyone online banking credentials or a key reading list. The report also included receipts for refueling the car and the meetings he had attended during the period.

After further investigation, the bank responded by telling what Anneli had denied. However, the message stated that despite the denial, all the reported events were confirmed with S-mobile, which was used from a Samsung phone.

To activate S-mobile, you need your personal online banking credentials, i.e. your online banking username, password and code from the access code table, as well as the confirmation code sent by text message. The code table that was used in the implementation of S-mobile is only in your possession. The bank does not have access code tables or the codes contained in them, which could be obtained by an outsider, the message stated.

A lawyer for help

Anneli says that in a phone conversation with a bank clerk, the clerk questioned what Anneli said and said that it would seem that Anneli had planned the act together with her foreign ex-spouse and that the money had been transferred abroad.

Anneli hired a lawyer to help.

Through a lawyer, Anneli demands compensation from S-bank for the amount corresponding to the crimes, interest costs and legal fees.

In a message sent to the bank, Annel’s lawyer also drew attention to the rude treatment of customers.

– The matter has been treated dismissively, leaving the customer in the lurch. When I was in contact with your bank, I was able to freeze the collection of the credit invoice while the matter is investigated, says the lawyer’s message.

The case is still under investigation. Anneli says that she has not received any contact from S-bank. Iltalehti has not been able to verify whether Anneli is a victim of S-bank’s data breach, because Anneli has not received any related contact from the bank, even though the bank claims to have been in contact with all the customers affected by the matter. However, all the details of Annel’s case point to the data breach in question.

This is how the bank commented

Director responsible for the development of S-Bank’s digital services Carl-Edvard Holmberg says that S-Bank takes the security of its services very seriously.

– We take all customer contacts very seriously and thoroughly investigate all reports received from them about possible abuses.

How many cases do you know of where a customer has reported abuse of their account / card, but the matter has not led to action on the part of the bank or the customer has not been trusted?

– We receive various contacts from our customers, but unfortunately we cannot reveal the numbers in more detail. We respond to all complaints made by our customers.

In the event that the delivery came to the attention, the bank would have put the credit invoices into collection, even though the customer stated that he knew nothing about the account transactions in question. The customer had not used the credit facility much before. Is your normal course of action in such situations basically to doubt what the customer is telling you?

– I cannot comment on individual cases. We have been in contact with the online bank’s message or letter to all customers who were affected by the now public identification system failure. If the customer has not been contacted, the disruption did not affect him.

Do you know of any cases where a customer was accused of purchases made by a hacker?

– We investigate all complaints we receive carefully, following the bank’s complaint handling process and the requirements set by the regulation. In handling complaints, we use all available information, on the basis of which we give a decision in each case. If they wish, our customers have the right to apply for a resolution recommendation (Insurance and financial advice) from FINE for our complaint decision.

After the data breach, have you investigated your bank’s processes regarding such abuse reports? Have you found something to improve in your operations?

– We receive various contacts from our customers all the time and we are constantly developing our operations. We take seriously all reports of abuses and deviations, and we carefully assess what kind of measures the reports lead to.