Attackers exploiting CBA health fund data breach

The not-for-profit health fund that services Commonwealth Bank staff is warning customers not to click on dodgy emails after attackers stole customer data from one of its third-party partners.

CBHS was established in 1951 by the Commonwealth Bank as a health fund for the bank's staff. It later separated from CBA and opened up its services to CBA family members and former staff.

CBHS last night emailed its customers to advise them that the systems of an unnamed third-party had been "subject to a data breach", with some of the data "accessed by an unauthorised party".

The affected data is "primarily corporate marketing information", CBHS said in the email, sighted by iTnews. It includes name, email address, suburb, state, postcode and date of birth records for "some" CBHS members.

The health fund said no member health records, bank account numbers, login or password details were compromised. It declined to detail how many records were stolen or name the affected third-party.

Attackers are already exploiting the stolen data by sending unsolicited spam emails to affected customers, CBHS warned.

"We urge you not to open, forward or act on any emails that look suspicious, and to delete them immediately," the fund said.

It is working with the third party to identify the source of the breach "as a matter of high priority" to prevent a similar security issue reoccurring. CBHS has cut electronic links to the affected company in the interim.

"We will keep you updated on any steps you may need to take in response to this incident," CBHS said.

It is understood the fund was made aware of the breach yesterday morning, with the initial attack occurring over the weekend.