More likely, the customer didn't twig when a known bank employee asked him for his whole password instead of the partial information that the computer was inviting him to ask for.
"Can I have letters 1,2 and 5 of your password?"
tap tap tap wait
"oops, my computer's just gone down. Sorry about this"
(make smalltalk for a minute or so)
"OK, we're back, I'll need to take you through security again"
"can I have letters 4,6 and 8 of your password"
"Yes, sir, that's fine, how can I help you? "
At this point the criminal employee has six letters of the password and can probably guess the rest nine times out of ten.
Sigh. Does crime really not pay?