An anonymous whistleblower revealed that Australian FinTechs stored customers’ bank details and sold the credentials of enquirers to third parties even after users discontinued or left the service provided by the company.
Who is the whistleblower?
As per reports, the anonymous whistleblower, who is currently working for a FinTech start-up, made the revelation to the Australian news website Michael West Media. The whistleblower, identified as a “he”, mentioned how FinTech companies address questions from potential customers by seeking their bank customer registration number (CRN) and password. They then stealthily access the enquirer’s bank account. According to the whistleblower, the companies keep the access for months, clearly raising doubts regarding their adherence to data laws.
He further said that this practice was rampant among companies offering the “buy now, pay later service”. Such services were extensively provided by lenders and brokers such as Ezidebit, Tiger Brokers, and Zip Pay, which were found to be flouting data privacy laws, as per the whistleblower.
Citing an example of a customer connecting with the company to assess their credit application, the whistleblower revealed that the organization addressed the question but did not erase the credentials the person provided. Instead, they kept accessing the accounts to screen scrape or copy details available therein.
Banks also blocked some access
He further mentioned that, at times, even banks blocked these companies’ access, ruling it as malicious activity. To add to the data breach, he noted that FinTechs continued watching their customers’ bank details without the person’s knowledge.
Upon further investigation, it was revealed that FinTechs request private login credentials on their website. One such example was the data policy of the Australian personal finance application Pocketbook, which reads, “Due to the nature of Pocketbook, from time to time, we may collect and hold additional Personal Information or other information about you. This information may be secured [and] shared with a third party if required or necessary….” The policy further states that the company may collect the following information
- Their address, date of birth, and contact details
- Information about their financial circumstances and objectives, including their assets, liabilities, income, expenditure, taxation information, insurance, superannuation, and investment preferences
- The data they send and receive by using Pocketbook and
- GPS location, among others.
The revelation comes weeks after the Optus data breach, triggering panic among users.