Aussie banks warn customers after fresh PayID data breach

Banks have started warning customers of a fresh data breach involving PayID records that was reported to new payments platform overseer NPP Australia late Friday.

NPP Australia said that an undisclosed number of PayID records “and associated data in the Addressing Service were exposed by a vulnerability in one of the financial institutions sponsored into the NPP by Cuscal Limited.”

“Cuscal has confirmed that the client-side technical issues underlying the exposure were identified and resolved immediately,” it said in an advisory.

“The affected data included PayID name and account numbers. 

“None of the details involved can, on their own, enable the withdrawal of funds from a customer’s account without the customer’s specific further involvement.”

A Cuscal spokesperson told iTnews that the unspecified client of Cuscal "experienced a spike in PayID enquiries and resolutions via a number of customer accounts."

However, the spokesperson said that "no financial transactions took place in this process and the issue has been remediated" and that "technology changes were made by the client immediately to prevent any further PayID data and to reduce the risk of PayID data being inappropriately obtained by others in the future."

"As a shareholder Participant and sponsor of Identified Institutions in the NPP, Cuscal takes our role seriously, and we will continue to monitor and support this highly valued service," its spokesperson said.

NPP Australia said that financial institutions “whose customer details have been exposed have been provided with details so that they can take the necessary action, which includes customer notification and enhanced due diligence over affected accounts.”

It is understood this is why customers of CBA began receiving data breach notifications last night which disclosed “a sophisticated attack on another financial institution”.

CBA’s notification said it was “proactively contacting customers whose personal information has been disclosed to a third party through a sophisticated PayID scam”.

It suggested details including mobile numbers, email address, customer name, BSB and account numbers were disclosed.

CBA confirmed on social media that the breach notice emails were legitimate, after questions from customers.

The incident is the second to hit PayID since June, when Westpac was targeted with large-scale abuse of PayID's address lookup function.

NPP Australia said the two incidents would lead to tougher security protections for users of the system.

“Cybersecurity is an issue of paramount importance to NPP Australia,” it said.

“As part of our ongoing commitment to uplifting cybersecurity controls across the NPP ecosystem and following a similar event in June, we recently commenced implementation of more targeted cybersecurity requirements upon participating institutions, increasing assurance requirements and testing endpoint security to ensure that the controls are executed as intended.”

Cuscal said both the Australian Prudential Regulation Authority (APRA) and the Office of the Australian Information Commissioner (OAIC) have been notified.

More to come