Busted big-time -- by the bank
Testing oversight: Contact fields transposed during financial database migration
Consequence: Financial services firm sends detailed "secret" savings and charge card records made for mistresses to customers' wives.
It's hard to get away with an affair when the bank won't play along. That's what some high-roller clients of an unnamed financial services firm learned when the firm sent statements containing full details of account holders' assets to their home addresses.
Although that might not sound like a recipe for disaster, this particular firm -- which requires a $10 million minimum deposit to open an account -- is in the business of providing, shall we say, a financial masquerade for those who wish to sock away cash they don't want certain members of their marriage to know about.
Customers who desire this kind of service typically had one (somewhat abridged) statement mailed home, and another, more detailed (read: incriminating) statement mailed to another address.
When the firm instituted a major upgrade to its customer-facing portal, however, a database migration error slipped through the cracks. The customer's home address was used for the full, unabridged account statements. The nature and character of the discussions between account holder and spouse regarding charges for hotel rooms, expensive jewelry, flowers, and dinners are left as an exercise for the imagination.
According to a source inside the company, the firm lost a number of wealthy clients and nearly US$450 million in managed assets as a result of the flub. But the real winners in this case, apparently, were the divorce lawyers.
Testing tip: In this case, it seems like the engineers who designed the upgrade didn't fully understand the ramifications of what they were doing. The bank executives who maintain this house of cards were ultimately at fault. Communicate the intricacies of your customers' business relationships to your site designers and follow through with continuous oversight to ensure clients' dirty laundry, err, sensitive data out of public view.