The
Australian P&N Bank reported a data breach that exposed detailed and
sensitive financial information on an unspecified number of customers.
Access was
gained on December 12 to the bank’s customer relationship management system,
which is operated by a third-party hosting firm, was undergoing an upgrade.
Details on how it was accessed were not revealed, but P&N said once the
breach was noticed the system in question was immediately shut down.
The
information included name, address, email, phone number, customer number, age,
account number and account balance. Additional pieces of what P&N considers
non-sensitive data, such as interactions between the bank and its customers,
was also located on the breached system.
“Organizations
must take proactive approaches to protect their data. This should include
mapping organizational capabilities and security controls to specific attack
scenarios to measure their preparedness to detect, prevent and respond to these
threats. Additionally, organizations should do their due diligence in ensuring
third-party partners are practicing adequate security measures and extend
testing to partners as well,” said Stephan Chenette, co-founder and CTO at
AttackIQ.
Driver’s license,
passport, Social Security, tax file, credit card numbers, birthdate and health
information in the bank’s possession was not accessed.
“P&N
Bank’s core banking system is completely isolated and separate from the
impacted system, so we can be confident this incident,” the bank said in a statement,
adding the incident has not caused the loss of any customer funds nor enabled
third parties to access customer credit card details and all banking passwords
are safe.
Access was
gained on December 12 when the system, which is operated by a third-party
hosting firm, was undergoing an upgrade. Details on how it was accessed were
not revealed, but P&N said once the breach was noticed the system in
question was immediately shut down.
