The customer contacted ZDNet Australia
"What St.George hasn't thought through is that the BPay reference number used when paying off a credit card is in fact the [customer's] full credit card number," he said.
St.George's Web-based online banking transactions are secured by encryption technology, however, knowledge that the bank is transmitting sensitive information across insecure segments of the Internet has outraged the customer.
"Any server that was used to forward this e-mail on to me now has my credit card number unencrypted for anyone to see," he said.
According to Adam Cook, corporate affairs manager at St.George, the security weakness only affects a small number of customers that request to be notified about regular payments.
"He has the choice of not getting a receipt and had he chosen not to this issue wouldn't have appeared," Cook said.
However, after ZDNet Australia
The bank says that it will now hash the first twelve digits of credit card numbers included in future customer receipts.
The response of St George's Adam Cook to this very real concern should be identified as a lesson in Career Limiting Comments. What he is effectively saying is this: Thank you Mr. Customer for alerting us to an issue that could have potentially cost us millions in liability suits, however, we really wish you hadn't."
The customer in question should invoice St George for his time as recent events make it clear St. George are wasting the squillions spent with big brand consultants who fail to spot the most obvious of potential difficulties.
A disgusting response from Mr. Cook.
Yours truly,
A now 'insecure' St George customer.