iTnews

Aussie banks warn customers after fresh PayID data breach

By Ry Crozier on Aug 21, 2019 10:28AM
Aussie banks warn customers after fresh PayID data breach

'Client-side technical issue' blamed for latest disclosure.

Banks have started warning customers of a fresh data breach involving PayID records that was reported to new payments platform overseer NPP Australia late Friday.

NPP Australia said that an undisclosed number of PayID records “and associated data in the Addressing Service were exposed by a vulnerability in one of the financial institutions sponsored into the NPP by Cuscal Limited.”

“Cuscal has confirmed that the client-side technical issues underlying the exposure were identified and resolved immediately,” it said in an advisory.

“The affected data included PayID name and account numbers. 

“None of the details involved can, on their own, enable the withdrawal of funds from a customer’s account without the customer’s specific further involvement.”

A Cuscal spokesperson told iTnews that the unspecified client of Cuscal "experienced a spike in PayID enquiries and resolutions via a number of customer accounts."

However, the spokesperson said that "no financial transactions took place in this process and the issue has been remediated" and that "technology changes were made by the client immediately to prevent any further PayID data and to reduce the risk of PayID data being inappropriately obtained by others in the future."

"As a shareholder Participant and sponsor of Identified Institutions in the NPP, Cuscal takes our role seriously, and we will continue to monitor and support this highly valued service," its spokesperson said.

NPP Australia said that financial institutions “whose customer details have been exposed have been provided with details so that they can take the necessary action, which includes customer notification and enhanced due diligence over affected accounts.”

It is understood this is why customers of CBA began receiving data breach notifications last night which disclosed “a sophisticated attack on another financial institution”.

CBA’s notification said it was “proactively contacting customers whose personal information has been disclosed to a third party through a sophisticated PayID scam”.

It suggested details including mobile numbers, email address, customer name, BSB and account numbers were disclosed.

CBA confirmed on social media that the breach notice emails were legitimate, after questions from customers.

The incident is the second to hit PayID since June, when Westpac was targeted with large-scale abuse of PayID's address lookup function.

NPP Australia said the two incidents would lead to tougher security protections for users of the system.

“Cybersecurity is an issue of paramount importance to NPP Australia,” it said.

“As part of our ongoing commitment to uplifting cybersecurity controls across the NPP ecosystem and following a similar event in June, we recently commenced implementation of more targeted cybersecurity requirements upon participating institutions, increasing assurance requirements and testing endpoint security to ensure that the controls are executed as intended.”

Cuscal said both the Australian Prudential Regulation Authority (APRA) and the Office of the Australian Information Commissioner (OAIC) have been notified.

More to come

Got a news tip for our journalists? Share it with us anonymously here.
Copyright © iTnews.com.au . All rights reserved.
Tags:
bank cba cuscal data breach finance financeit npp australia real time payments security vulnerability

Partner Content

Four data superpowers to harness before 2022
Promoted Content Four data superpowers to harness before 2022
What is zero trust cybersecurity?
Partner Content What is zero trust cybersecurity?
Putting cyber security basics in place
Partner Content Putting cyber security basics in place
Why companies fail at picking cloud modernisation partners
Promoted Content Why companies fail at picking cloud modernisation partners

Sponsored Whitepapers

The top 5 tech trends to deliver business outcomes
The top 5 tech trends to deliver business outcomes
10 reasons why businesses need to invest in cloud security training
10 reasons why businesses need to invest in cloud security training
Your guide to application security solutions
Your guide to application security solutions
State of Software Security: Open Source Edition
State of Software Security: Open Source Edition
Five questions to ask before you upgrade to a SIEM solution
Five questions to ask before you upgrade to a SIEM solution

Events

  • On-Demand Webinar: How Poly and Microsoft are Embracing Future Work Environments
  • [iTnews and Micro Focus] Navigating the cloud modernisation minefield
By Ry Crozier
Aug 21 2019
10:28AM
0 Comments

Related Articles

  • CBA builds container-as-a-service platform on AWS, Kubernetes stack
  • CBA, NAB alarmed at plan for arm's length sharing of bank data
  • CBA lands an ex-RBA CISO
  • NAB targets 250,000 sign-ups to VoiceID
Share on Twitter Share on Facebook Share on LinkedIn Share on Whatsapp Email A Friend

Most Read Articles

TPG Telecom to start enticing NBN customers to move

TPG Telecom to start enticing NBN customers to move

Infosys scores another $40m for Centrelink payments engine build

Infosys scores another $40m for Centrelink payments engine build

Telstra InfraCo opens up telco's own fibre network

Telstra InfraCo opens up telco's own fibre network

Transport for NSW data stolen in Accellion breach

Transport for NSW data stolen in Accellion breach

You must be a registered member of iTnews to post a comment.
Log In | Register
All rights reserved. This material may not be published, broadcast, rewritten or redistributed in any form without prior authorisation.
Your use of this website constitutes acceptance of nextmedia's Privacy Policy and Terms & Conditions.