WA's P&N Bank hit by data breach

Western Australia’s largest member owned bank, P&N Bank, has notified its customers of a data breach that exposed personal information from its customer relationship management system.

In an email to its approximately 96,000 members on Wednesday, P&N CEO Andrew Hadley said “non-sensitive” data had been accessed as a result of a cyber-attack last month.

Information contained in the CRM includes customer names and ages, residential addresses, email addresses, phone numbers, customer numbers, account numbers and account balances.

Formerly the Police & Nurses Credit Society, a significant proportion of P&N Bank members are, logically, police and nurses.

Hadley stressed that no customer passwords or credit card details had been compromised, as its core banking system was “completely isolated and separated from the impacted system”.

Other information such as driver’s licence numbers, passport numbers, social security numbers, tax file numbers, birthdays or health data was also not contained in the CRM.

P&N Bank is now working closely with the Western Australian Police Force (WAPOL) and relevant federal authorities to investigate the incident, which occurred during a server upgrade.

“The criminal activity took place around 12 December 2019, via an attack during a server upgrade, on a third party company that P&N Bank engages to provide hosting services,” Hadley said.

“Upon becoming aware of the attack, we immediately shut down the source of the vulnerability and have since been working closely with WAPOL, other federal authorities, our third-party IT provider involved, regulators and independent expert advisers to investigate and protect customers from any further risk.”

iTnews has contacted P&N Bank for further comment.