Scarborough Building Society has pulled an insecure form from its site after it emerged that sensitive information was sent over an unencrypted connection.

An online application form for various types of savings accounts invited prospective investors to fill in various categories of sensitive personal information before printing off the form and sending it in to the society by conventional post. In reality, data was exchanged with the society's servers as checks were made to ensure the form was filled in correctly. This contradicts what the society told customers at the bottom of the form and what was implied by the procedure of posting off information they had typed in.

Not only that, but as Reg reader Alan Iwi was quick to notice this data was sent over an insecure (unencrypted) connection, leaving it vulnerable to potential eavesdropping attack. Scarborough reacted quickly on notification, and pulled the form and launched an investigation.

"We have experienced a technical issue with the form and have temporarily removed the ability to submit any form containing personal information online for checking. A technical solution to the issue will be put in place over the next few days," a Scarborough Building Society spokeswoman explained.

Scarborough Building Society was founded in 1846 and is the second oldest building society in the UK. The mutually owned financial organisation manages assets worth an estimated £2.9bn. ®

Related stories

• CookieMonster nabs user creds from secure sites (11 September 2008)
• Updated: Password pants-off at Lloyds Bank (28 August 2008)
• Updated UK bank chief stung in ID theft scam (20 August 2008)
• Security shocker: 75% of US bank websites have flaws (25 July 2008)
• UK bank blames fraudsters for World of Warcraft ban (15 February 2008)
• Intelligent Finance upgrade downs web service (31 July 2007)
• UK banking websites' security slammed (28 September 2006)