National Australia Bank suffers data breach involving 13,000 customers
July 28, 2019 |
There has been widespread coverage of data breach at the NAB involving personal information of 13,000 customers being uploaded two data companies without permission. The data provided to the mysterious data companies is extensive; names, date of birth, contact details and sometimes government issued identifiers. Close to enough to undertake some identity theft and get close to accessing accounts. It is serious but mitigated by the fact that the breach was only to third party providers known to the NAB. From the tenor of the story it is likely that the data providers knew of and have or had some form of relationship with the NAB. As such the disclosure is more containable than a disclosure to the world or a hack. The difficulties with personal information being provided to third party providers is that control of their activities is very limited. That constitutes a real fault line of data security. There are a number of ways to reduce the risk, such as requiring appropriate security practices, audits of those practices and providing data such that even a breach will not be catastrophic, such as avoiding providing log in details with names or not providing full credit card information. The real problem is maintaining standards. And critical to that is staff training. The NAB statement and the reporting make it clear the cause of the breach was human error. What that means here is not made clear. What it often means is that the person responsible didn’t understand the procedures or didn’t understand what data was involved.
The statement from NAB provides:
NAB has today (Friday 26 July 2019) begun contacting approximately 13,000 customers to advise that some personal information provided when their account was set up was uploaded, without authorisation, to the servers of two data service companies.
NAB’s security teams have contacted the companies, who advise that all information provided to them is deleted within two hours.
NAB Chief Data Officer, Glenda Crisp, said the compromised data included customer name, date of birth, contact details and in some cases, a government-issued identification number, such as a driver’s licence number.
“We take the privacy and the protection of customer information extremely seriously and I sincerely apologise to affected customers. We take full responsibility,” she said.
“The issue was human error and in breach of NAB’s data security policies.”
Ms Crisp said it was not a cyber-security issue. No NAB log-in details or passwords have been compromised – and NAB’s systems remain secure.
“Our number one priority is to support our customers. We are moving quickly to proactively contact every person affected.”
NAB is calling, emailing or writing to each impacted customer individually. A dedicated, specialist support team is in place, available to them 24/7.
If government identification documents need to be reissued, NAB will cover the cost.
NAB will also cover the cost of independent, enhanced fraud detection identification services for affected customers.
Importantly there is no evidence to indicate that any of the information has been copied or further disclosed.
NAB is advising impacted customers that they do not need to take any action with their account.
“We have reviewed these customers’ accounts, over and above our rigorous normal checks, and have not identified any unusual activity. We will continue to monitor 24/7 to protect our customers’ accounts,” Ms Crisp said.
NAB has also notified and is working with industry regulators, including the Office of the Australian Information Commissioner.
Ms Crisp said: “We take full responsibility. We can assure you that we understand how this happened and we are making changes to ensure this does not happen again.”
The Australian’s story on the breach puts this breach in the context of a steady run of data breaches in the recent past providing:
National Australia Bank’s reputation stands to be further tarnished after it was forced to make an embarrassing admission on the breach of 13,000 customers’ personal data, including contact details and driver’s licence numbers.
In a statement, the bank (NAB) said it had begun contacting about 13,000 customers to advise that some personal information provided when setting up their account was uploaded “without authorisation” to the servers of two data service companies.
“NAB’s security teams have contacted the companies, who advise that all information provided to them is deleted within two hours,” the bank said on Friday night.
The compromised data included customer names, dates of birth, contact details and in some cases, a government-issued identification number such as a driver’s licence number.
“We take the privacy and the protection of customer information extremely seriously and I sincerely apologise to affected customers. We take full responsibility,” NAB’s chief data officer Glenda Crisp said.
“The issue was human error and in breach of NAB’s data security policies.”
NAB’s statement said no log-in details or passwords were compromised as part of the breach and the bank’s systems “remain secure”.
The NAB breach — which the bank says was not a hack or cyber security issue — follows a string of other high profile privacy incidents over the past three years.
Rival Commonwealth Bank of Australia last month agreed to a court-enforceable undertaking after an embarrassing privacy breach and regulatory inquiries which identified gaps in the way it managed the personal information of customers.
The Office of the Australian Information Commissioner (OAIC) carried out its investigation in the wake of an incident in 2016 which magnetic storage tapes containing historical statements for up to 20 million CBA customers were misplaced.
Outside of banking, listed valuation company LandMark White remains in a difficult trading position after a serious cyber intrusion in January, where 137,500 valuation records were stolen by hackers. That was followed by another incident where a batch of the company’s sensitive commercial data was posted online.
In 2018, human resources company PageUp admitted the personal details of thousands of Australians had potentially been compromised.
That came after the personal data of 550,000 blood donors was leaked from the Red Cross Blood Service three years ago, including information about sexual behaviour.
Companies can no longer keep these breaches secret. The federal government in early 2018 imposed the nation’s new notifiable data breaches scheme, forcing communication with customers if their data had been breached or lost.
NAB is calling, emailing or writing to each impacted customer.
“Our number one priority is to support our customers. We are moving quickly to proactively contact every person affected,” Ms Crisp said.
If government identification documents need to be reissued, NAB said it will cover the cost. The bank also vowed to cover the cost of “independent, enhanced fraud detection identification services” for affected customers.
The OAIC has been notified of the NAB issue and the bank said there was no evidence to indicate any of the compromised information had been copied or further disclosed.
“We have reviewed these customers’ accounts, over and above our rigorous normal checks, and have not identified any unusual activity,” Ms Crisp said.
“We take full responsibility. We can assure you that we understand how this happened and we are making changes to ensure this does not happen again.”
Globally, data privacy has been a hot-button issue this year.
Credit bureau Equifax this month agreed to pay at least US$650 million to resolve claims from a 2017 data breach.