NAB sheds new light on data breach incident, outages

The National Australia Bank has shed additional light on its July 2019 data breach incident, pruning the number of affected customers from 13,000 to 11,500 and saying that “more than 80 percent of affected customers [were] contacted through various channels within two business days” – despite the incident only being made public at 6.30pm on a Friday night.

The details of the incident are revealed in NAB’s latest annual review and accompanying annual report released on Friday, with the beleaguered bank outlining measures its put in place to deal with potential further incidents.

The July incident occurred due to human error when personal information, including identifiers like drivers licence details, government identity numbers, dates of birth and contact details were uploaded “to the servers of two data service companies”.

While the potential for misuse of the information is small, even insignificant, the SNAFU legally triggered mandatory reports to regulators who are intently sniffing around banks data security and governance hygiene against a backdrop of increasing digital penetrations and heists.

“Regulators were notified within 72 hours, including the Office of the Australian Information Commissioner (OAIC), Australian Prudential Regulation Authority (APRA), Australian Securities and Investment Commission (ASIC) and the UK Information Commissioner’s Officer (UK ICO),” NAB’s said.

The incident also triggered a test of NAB’s new “Data Breach Playbook” with a subsequent review of the incident leading to “strengthened controls around our data leakage prevention and detection capabilities” and a “mandatory training for NAB staff globally”.

“The breach reinforced the need for quick, transparent action and prove how vital it is to manage risks and to swiftly engage and compensate customers when things go wrong,” the review says, though the dollar amounts for compensation paid to customers for that incident or others like outages is not specified in the review document.

In 2018 NAB coughed up $7.4 million in compensation payments to customers who suffered financial losses as a result of its bank-wide payment systems outage that left thousands of businesses unable to trade without cash in May that year.

Critical incidents are well down this year, with “a 42 per cent decline in critical and high incidents compared with last year.”

One major incident occurred in New Zealand in September when “a hardware failure triggered a database issue which resulted in an outage, causing customers to be unable to access our New Zealand online banking channels for two hours.”

“While BNZ identified the problem quickly, the outage caused intermittent impacts to our [customers’] visibility of their individual transaction history and resolution took several days.

“A further outage on 5 September 2019 saw further disruptions causing increased calls to our contact centres and negative media coverage. Throughout this period, ATMs and card transactions were unaffected.”

The report also details some of the commercial thinking behind NAB’s well documented multi-cloud strategy, namely the avoidance of lock-in.

“We are working with service providers such as Amazon Web Services, Microsoft Azure and Google Cloud to take advantage of the unique offerings of each provider and to protect ourselves from being dependent on any single provider,” NAB said.

“More than 950 of our people have been industry certified in Amazon Web Services (AWS), Microsoft Azure and Google Cloud Platform. Our business contains the most AWS certified people within any business in Australia and New Zealand outside of AWS itself,” NAB said.