Re: 402 customers?
> Should have been picked up at UAT and probably pentest.
To me it sounds more like it’s time to sack the entire team and throw away all the code they wrote.
If you’re even anywhere close to one user accessing a different user’s bank account, it means several layers of security are borked or maybe just not there.
Almost OK for some stupid PHP webshite, but absolutely not for a f***ing bank.