Sampo Uh-Oh

Finnish bank acquisition goes very awry.

Over the course of 100-plus years, Sampo Bank had grown into one of the largest banks in Finland. Since its founding in 1887, Sampo stayed ahead of the technology curve, introducing the first modern payment system -- the postal giro -- in 1939, becoming Finland's first adopter of IBM's "electronic brain" in 1958, and amassing nearly one million users of its online banking service by 2006.

But alas, Sampo was swallowed up by Denmark giant Danske Bank. On Nov. 9, 2006, Danske announced not only the acquisition, but that it would integrate all IT platforms -- online banking, merchant processing, account management and so on -- in 1 year, 4 months and 15 days, by Easter weekend of 2008. And come hell or high water, they would meet that date.

As Easter grew closer, the integration problems grew worse. Instead of extending its own deadline, Danske opted to expand its integration project team to a whopping 2,500 employees and the budget to more than $300 million. The longer and harder developers worked on the systems, the sooner they transferred their personal savings accounts to other banks. Despite all the issues, Danske pushed forward with its Easter integration plan. Not surprisingly, after that fateful switchover in March 2008, things didn't go over so well.

Money Troubles
When the new system went live, many Sampo customers couldn't help but notice. Standing in line at retailers across Europe, they watched clerks swipe their Sampo cards over and over, only to get an "Authorization Denied" message every time.

Not to worry, embarrassed shoppers naively thought, the ATM is right across the corner -- but Sampo ATMs weren't quite working, either. As for the branches, not only were there hour-long lines, but the teller computer systems had issues as well: incorrect account balances, wrongly applied transactions and unavailable accounts, to name a few -- exactly the type of things that could send someone over the edge. One disgruntled customer took an axe to a wooden desk at a Sampo branch after learning his account was supposedly empty.

Don't Even Bother Logging In
As bad as Danske's retail problems were, its new online banking system fared much worse. While Sampo's former e-banking site was user-friendly, secure and accessible in most browsers and mobile phones, Danske's was none of the above.

Within hours of use, the entire online banking system collapsed under a normal, Monday-morning workload. This meant that Sampo's tech-savvy customers couldn't transfer money, pay bills or issue debits. While that isn't a mission-critical issue for the average personal banker, some of Sampo's business customers -- such as Nokia -- weren't too pleased.

When persistent users managed to access the site during its sporadic uptime, they immediately noticed that it was only accessible in Windows using Internet Explorer. And to make matters worse, they'd have to download a fairly large Java applet to perform their banking tasks. To make matters even worse, the Java applet was disastrously developed.

The Disassembly
Because Java code can so easily be decompiled, many developers chose to use an obfuscator to make reverse engineering-compiled Java virtually impossible. While the Danske developers actually did include an obfuscator in the applet, they apparently forgot to use it. This oversight allowed anyone with the freely available Java SDK to see the code behind their "secure" applet.

The most obvious oddity in the Danske applet was that it made extensive use of platform-specific native DLLs -- such as non-Java code -- for no apparent reason, thereby effectively undoing the platform-independence of the Java applet.

Tell Us Your Tale
Each issue Alex Papadimoulis, publisher of the popular Web site The Daily WTF, recounts first-person tales of software development gone terribly wrong. Have you experienced the darker side of development? We want to publish your story. Send us your 300- to 600-word tale -- if we print it, you'll win $100 and an RDN T-shirt! E-mail your story to Senior Editor Kathleen Richards at and use "DevDisasters" as the subject line.

There were other interesting finds in the applet. Among them: the users' computers' hardware and drives were scanned and a profile sent to the bank; a root-certificate was an embedded resource, but it was encoded in Base64; and this curious code:

public static final int RandomErrorNotEnoughRandom = 1;

Happy Easter
While Danske has since resolved many of the most serious issues, it's still dealing with the fallout. Though the bank has vowed to waive fees through September 2008 and has offered to pay for any financial damages that occurred as a result of its system outages, an estimated 20,000 customers have switched banks.

But the good news is it made the Easter deadline.

About the Author

Alex Papadimoulis lives in Berea, Ohio. The principal member of Inedo, LLC, he uses his 10 years of IT experience to bring custom software solutions to small- and mid-sized businesses and to help other software development organizations utilize best practices in their products. On the Internet, Alex can usually be found answering questions in various newsgroups and posting some rather interesting real-life examples of how not to program on his Web site You can contact Alex directly via email at,

comments powered by Disqus
Upcoming Events

.NET Insight

Sign up for our newsletter.

I agree to this site's Privacy Policy.