Account Number & Sort Code — An Awful Warning
March 27th, 2017
by Gwyn Headley
Managing Director
Tags: account number, BBC, cheque details, Getty Images, HSBC, Jeremy Clarkson, sort code
Paying by bank transfer is much easier than paying by cheque, which is why so many companies now include their bank details — account number and sort code — on their invoices.
That’s reasonable when the recipient is a private individual or another company. It’s not so good when they are published on the fifth biggest website in the country.
To illustrate an article “Bank cheques to be cleared within a day” on their website last Wednesday the BBC used a photograph of a handwritten HSBC cheque, clearly showing a company’s account number and sort code details.
The trouble was they were ours — fotoLibra.com’s.
This was a cheque we’d paid to one of our contributors in 2012, and to add aggravation to outrage she photographed it and uploaded it to Getty Images, who then sold it to the BBC, complete with our clearly visible bank details.
A photograph of a fotoLibra contributor’s cheque, sold to the BBC by Getty. We have blurred out our bank sort code and account number
James Cliffe, HSBC’s Head of Business Banking, is no call centre drudge and he took the issue sufficiently seriously to call me direct. HSBC had seen the article shortly after it appeared and immediately called the BBC to complain. The photograph was replaced within the hour.
The replacement photograph
An account number and sort code is all an unscrupulous individual needs to set up a standing order or direct debit, as Jeremy Clarkson found to his cost when he published his bank details in the belief they only worked one way. He found he was suddenly paying out a £500 direct debit to the charity Diabetes UK.
Clarkson revealed his account numbers after rubbishing the furore over the theft of 25 million people’s personal details. He wanted to prove the story was a fuss about nothing. “The bank cannot find out who did this because of the Data Protection Act and they cannot stop it from happening again,” sighed Clarkson. “I was wrong and I have been punished for my mistake.”
We hold the BBC and Getty Images equally responsible. We expect they know (Getty, that is) they’ve done wrong because there’s no trace of that image on their website today.
We still don’t know what damage we may suffer.
But if HSBC’s big guns are concerned, then we are concerned.
I print bank details on the invoices I issue. Is this putting me at risk?
According to the man from HSBC, not really, if the recipient is a private individual or another company — unless of course they are criminally inclined. Knowing some of your clients, I suggest you work for cash in advance only.
Isn’t this a case where a property release is required & doesn’t the cheque remain the property of the bank regardless of who uses it?
Can we do something to at least have Getty (another entity too big to be held properly to account) pay fotoLibra some form of compensation?
Well, we’re certainly making a complaint to them. Not sure about a property release though.
What a stupid person!? Fancy uploading a photo of a cheque… and to a rival agency at that! Love the description, waiting to have it ‘chashed’ maybe that’s a code!
I think you need to get to the root of the problem and get Ababsolutum to remove or edit the photo, and Getty need to take the image down until it’s complete.
It’s still available to buy now. I might make a monthly donation to Diabetes UK 😉
If it’s still available on Getty, can you give me the reference number please? I can’t find it!
It’s on Getty owned iStock with reference 459254539
Good luck!
Many thanks Chris!
The words hand, biting, the, feeds, that & you spring to mind in no particular order. A reverse search shows it’s still available on istock with a/c details still. Also seems to have been used on other sites & blogs whether they were paid for or just lifted. Are HSBC sufficiently concerned they would want to change your a/c number? If not then as they are aware of the situation are they saying they will cover you for any fraud that may arise?
I’ve sent you an email with the link to the image
Thanks David!
Surely the concern is misdirected ?
The issue is not that an account number and sort code should not be “published” but that ONLY a sort code, account number and (presumably) account name is enough to TAKE money from somebody’s account without that person having to give approval.
Of course, until that issue is resolved then yes, sharing such details is A Very Bad Idea, but the problem is not the sharing of the details but that the banking system is so vulnerable to such a simple thing.
A simple solution (so not one that will be implemented any time soon) is to block nominated accounts from any automated payment schedule. Once an account has been opened and the account owner has been dragged through the verification process a couple of clicks is all it would need for him/her to open a separate account which will accept incoming payments but can only pay out to the owner’s other account.
I have a solution to not knowing what further damage can be done, change your bank and all accounts
Yes, that would work, but we’d have to have a full-time compliance officer to take care of the fairly constant attacks we and all other businesses suffer. And the admin at this end would be too daunting to cope with.
[…] hope you’re well. My rather sensational headline was designed to attract you to read my blog: http://blog.fotolibra.com/2017/03/27/account-number-sort-code-an-awful-warning/ The statement is not far from the truth, except that one might infer connivance which is almost […]
Hi Gwyn,
I read your article about this, and hope you manage to get it sorted and the photograph removed from Getty straightaway. Particularly galling as it was one of your contributors!
Anyway the reason I am posting this is to let you know of a company local to me in Scotland (a fellow BNI member) who specialises in web and online security and forensic investigations.
It would be worth you having a chat with them as I don’t believe that you necessarily require to have a full-time compliance officer. I’ve attached their details here for you and put Wynn’s direct mobile number for him. I will also let him know your situation – so he’ll contact you and he’ll be able to give you more of an idea about he can help you.
wjones@praetoriansecurity.co.uk
Wynn Jones ECSA LPT CEH CHFI CCSA CVE CCA
Director, Praetorian IT Security
http://www.praetoriansecurity.co.uk
http://www.secured-it.co.uk
I hope this can help you – they are highly recommended, and their speciality is to help SMEs in particular (whilst having the experience of working with very large corporations). They are also experts in recovering data.
If anyone has Ransomware issues – contact them.
Gwyn
That’s awful – your contributor should have known better in the first place but as for Getty and the Beeb … At least she hid your signature.
I hope Getty pay you a substantial sum – they should certainly never have uploaded it.
Funny that. I asked my bank Santander about sending out these details as I was worried about what could happen and they said no problem perfectly safe! I shall ask again by email this time so I have the answer in writing.
We were assured it was a risk by HSBC’s Head of Business Banking UK, who rang me personally. I have no reason to doubt him. I can’t believe HSBC finds it a problem and Santander doesn’t. We have closed the compromised account and opened a new one, on HSBC’s recommendation. In any case, it’s always safer not to broadcast sensitive information.