Westpac customer data stolen

PayID exploited to scrape names and phones numbers.

By Casey Tonkin on Jun 04 2019 11:33 AM

A targeted cyber attack has compromised the data of nearly 100,000 Westpac customers.

Bad actors used several compromised accounts to look up NPP PayID phone numbers at random en masse which, when successful, exposed the customer’s name.

PayID users have their bank account details tied to their mobile phone number or email address in order to instantly transfer payments.

A Westpac spokesperson confirmed to Information Age that they had “detected mis-use of the NPP’s PayID functionality” and took preventative measures.

“No customer bank account numbers were compromised as a result,” the spokesperson said.

“Westpac Group takes the protection of customer data and privacy extremely seriously and we continually monitor our systems.

“There has been no further inappropriate activity detected.”

All of Australia’s ‘big four’ banks offer PayID to their customers.

Known exploit

In a leaked memo to the banking industry, Westpac said the attack had been ongoing since April and probably originated overseas.

The attack vector was shown early last year when a Twitter user revealed linked names and phone numbers he found by brute force.

At the time, NPP issued a statement about the privacy of their PayID system.

“We are aware that a person on Twitter has performed a small number of PayID look-ups and tweeted these details publicly in a bid to start a discussion about PayID and privacy issues,” the statement said.

“While unfortunate for the individuals involved, the discussion highlights the choice and benefits to be considered by users when they opt in to create a PayID.”

Casey Tonkin

A lifelong technophile and science fiction geek, Casey joined Information Age in 2019. With interests in AI, space travel, and post-humanism, Casey is always on the hunt for the overlap of science-fact and science-fiction.