Banks have warned customers of a vulnerability that exposed names, account, and BSB numbers.
The New Payments Platform (NPP) released a statement on Tuesday confirming the breach.
“NPP Australia was advised late in the evening of Friday, 16 August 2019 that a number of PayID records and associated data in the Addressing Service were exposed by a vulnerability in one of the financial institutions sponsored into the NPP by Cuscal Limited,” the statement said.
“Cuscal has confirmed that the client-side technical issues underlying the exposure were identified and resolved immediately.”
PayID is a service that allows users to send money across institutions in real-time.
Instead of entering bank account and BSB numbers — like with a traditional electronic bank transfer — PayID only requires a mobile phone number.
This functionality already proved problematic in June when Westpac confirmed the data of 100,000 customers was compromised by an attacker targetting the PayID look-up function en masse.
Cuscal said there had not been any untoward transactions made using the exposed details.
And NPP said there was a low-level of risk for customers whose account numbers were leaked.
“None of the details involved can, on their own, enable the withdrawal of funds from a customer’s account without the customer’s specific further involvement,” NPP said.
“Financial institutions whose customer details have been exposed have been provided with details so that they can take the necessary action, which includes customer notification and enhanced due diligence over affected accounts.”
Cuscal boasts enabling “more organisations to the New Payments Platform than anyone else – more than half of the financial institutions there on ‘day 1’, and has a client list that includes, AMP, Bendigo Bank, People’s Choice Credit Union, and Westpac.
The Commonwealth Bank confirmed on Twitter that it had sent notifications to customers who had been affected.
Hi Nathan, Alisi here. Thanks for reaching out. The email you received is legitimate, we take the security of your information very seriously and as a result have increased our security monitoring on your accounts.— CommBank (@CommBank) August 20, 2019
The Office of the Australian Information Commissioner also requires notification when data breaches take place which NPP confirmed Cuscal has done.
“Cuscal’s client has advised that the appropriate regulatory notifications have been made,” NPP said.
“NPP Australia has regulations in place that prohibit disclosure of account data and that require participating financial institutions to have controls to monitor, detect and shut down any attempts to misuse the PayID service.
“These regulations incorporate suspension of access to the PayID service by organisations not meeting these requirements, and were recently strengthened by the introduction of non-compliance charges which are expected to be also applied where these controls are not implemented.”