NAB reveals 13,000-person data breach at 6PM Friday

NAB disclosed a data breach late Friday after a dataset containing the personal details of approximately 13,000 customers was uploaded to the servers of “two data service companies”.

The just-after-6PM announcement of is suspicious: late on Friday is a time often used to take-out-the-trash in the hope that bad news dissappears amid the weekend’s sport and other frippery.

An NAB spokesperson told iTnews the timing reflected a fast-moving situation.

iTnews was told that the bank notified the Office of the Australian Information Commissioner (OAIC) earlier on Friday afternoon, then started to contact customers, and then made news of the breach public with an online statement.

Chief data officer, Glenda Crisp, said the compromised data “included customer name, date of birth, contact details and in some cases, a government-issued identification number, such as a driver’s licence number.”

Crisp attributed the issue to “human error”.

She said the uploads to the data service providers were done “in breach of NAB’s data security policies.”

Crisp said it “was not a cyber-security issue”. 

While she did not detail the exact reason the dataset was uploaded, it would appear the bank was performing some form of data analytics work on the dataset using third-party tools or services.

NAB said its security teams had contacted the two companies, “who advise that all information provided to them [was] deleted within two hours”.

NAB said it would call, email or write “to each impacted customer individually.” 

“A dedicated, specialist support team is in place, available to them 24/7,” she said.

“If government identification documents need to be reissued, NAB will cover the cost.

“NAB will also cover the cost of independent, enhanced fraud detection identification services for affected customers.”

The bank said there was “no evidence to indicate that any of the information has been copied or further disclosed.”