13,000 NAB customers affected by data breach

NAB has begun contacting some 13,000 of its customers revealing details of a data breach.

The bank said that a range of personal information including names, dates of birth, contact details and in some cases, the number of a government-issued ID document, such as a driver’s licence number, was erroneously uploaded to the servers of two “data service companies”.

NAB revealed details of the breach late on Friday.

The bank said the two companies have assured its security team that “all information provided to them is deleted within two hours”.

“We take the privacy and the protection of customer information extremely seriously and I sincerely apologise to affected customers,” said NAB chief data officer, Glenda Crisp, in a statement released by the bank. “We take full responsibility.”

The problem was the result of “human error” and was a breach of the bank’s data security policies, the NAB exec said.

The issue did not affect NAB login details or passwords and was not the result of a “cyber security,” issue she said.

“Our number one priority is to support our customers. We are moving quickly to proactively contact every person affected.”

The bank said it would cover the cost of any government ID documents that need to be reissued and of fraud detection services for the affected customers.

NAB has established a 24/7 support team for affected customers and said it had notified regulators, including the Office of the Australian Information Commissioner (OAIC).

“We have reviewed these customers’ accounts, over and above our rigorous normal checks, and have not identified any unusual activity. We will continue to monitor 24/7 to protect our customers’ accounts,” Crisp said

Last month the OAIC announced that the Commonwealth Bank of Australia had signed a court-enforceable undertaking to improve how it handled customer information.

The undertaking followed in the wake of two incidents scrutinised by the OAIC. One was the bank being unable to confirm the destruction of magnetic tapes containing 19.8 million customer records. The incident took place when Fuji Xerox was decommissioning a CBA data centre.

The other involved the OAIC unearthing inadequate internal access controls for customer data at the bank.

In May the OAIC released a report that summarised the operation of the notifiable data breaches (NDB) scheme during its first four complete quarters.

The finance sector repeated the second-highest number of data breaches in the 12 month-period covered by the report, trailing only the health sector.

Forty one per cent of the breaches reported by financial services organisations related to human error, compared to the average across all sectors of 35 per cent.

“Like the health sector, a number of these data breaches were the result of personal information sent to the wrong recipient,” the OAIC observed.

“Finance has also long been a target of cybercriminals given the financial rewards possible, and attacks on the industry have been observed to have risen in recent years. Accordingly, a high proportion of finance sector breaches—56 per cent—were attributed to malicious or criminal attacks,” the report added.