Australians are being alerted about a new breach that saw the PayID details and data of some bank customers accessed.
New Payments Platform (NPP) Australia, a real-time payments platform mutually owned by 13 major financial institutions, said it was advised on late Friday that “a number of PayID records and associated data in the Addressing Service were exposed by a vulnerability in one of the financial institutions sponsored into the NPP by Cuscal Limited”.
“Cuscal has confirmed that the client-side technical issues underlying the exposure were identified and resolved immediately,” NPP Australia said in a statement.
The data breach exposed PayID usernames, account numbers, mobile numbers, BSBs and account numbers.
Related story: Was your data leaked? The ATO will use it against you
But the exposed details were not enough to lead to theft, NPP Australia said.
“None of the details involved can, on their own, enable the withdrawal of funds from a customer’s account without the customer’s specific further involvement.”
Financial institutions whose customer details were exposed have been told with the data breach “so they can take the necessary action”, meaning banks will be notifying affected customers and keeping a closer eye on affected accounts.
“The appropriate regulatory notifications have been made.”
NPP Australia said cybersecurity was of “paramount importance” and that it is pushing for greater cybersecurity standards to be put in place.
Data breach: Who is affected?
CBA confirmed to some customers on social media that the breach had occurred.
Hi Nathan, Alisi here. Thanks for reaching out. The email you received is legitimate, we take the security of your information very seriously and as a result have increased our security monitoring on your accounts.— CommBank (@CommBank) August 20, 2019
A Westpac spokesperson confirmed with Yahoo Finance that the breach had affected its customers.
“Westpac is aware of an incident at another financial institution which has resulted in the disclosure of PayID account data (PayID username, mobile number, BSB and account number) of a number of individuals,” the spokesperson said.
“We are in the process of contacting all impacted Westpac customers.”
Yahoo Finance understands that, while the exposed details alone cannot lead to withdrawal of funds, cyber criminals may harness this data in scamming and phishing attempts – so customers should stay vigilant.
Westpac urged customers to be wary of SMS scams, such as a fake personalised text that looked like a real message from Westpac with the malicious intention of getting your banking or personal information.
No customers from Bank of Melbourne, BankSA or St George were affected, the spokesperson confirmed.
Yahoo Finance has also contacted NPP Australia, CBA, NAB, and ANZ for comment.
It’s not the first time
In June this year, nearly 100,000 Australians’ details were exposed after cyber criminals found customers’ details through PayID, which works like an open telephone book were entering an email address or mobile number will show the account holder’s name.
“Westpac can confirm we had detected mis-use of the New Payments Platform’s PayID functionality and we took additional preventative actions which did not include a system shutdown,” a Westpac spokesperson told Yahoo Finance at the time.
“No customer bank account numbers were compromised as a result.”
“There has been no further inappropriate activity detected.”
Make your money work with Yahoo Finance’s daily newsletter. Sign up here and stay on top of the latest money, news and tech news.