The Australian P&N Bank reported a data breach that exposed detailed and sensitive financial information on an unspecified number of customers.
Access was gained on December 12 to the bank’s customer relationship management system, which is operated by a third-party hosting firm, was undergoing an upgrade. Details on how it was accessed were not revealed, but P&N said once the breach was noticed the system in question was immediately shut down.
The information included name, address, email, phone number, customer number, age, account number and account balance. Additional pieces of what P&N considers non-sensitive data, such as interactions between the bank and its customers, was also located on the breached system.
“Organizations must take proactive approaches to protect their data. This should include mapping organizational capabilities and security controls to specific attack scenarios to measure their preparedness to detect, prevent and respond to these threats. Additionally, organizations should do their due diligence in ensuring third-party partners are practicing adequate security measures and extend testing to partners as well,” said Stephan Chenette, co-founder and CTO at AttackIQ.
Driver’s license, passport, Social Security, tax file, credit card numbers, birthdate and health information in the bank’s possession was not accessed.
“P&N Bank’s core banking system is completely isolated and separate from the impacted system, so we can be confident this incident,” the bank said in a statement, adding the incident has not caused the loss of any customer funds nor enabled third parties to access customer credit card details and all banking passwords are safe.
Access was gained on December 12 when the system, which is operated by a third-party hosting firm, was undergoing an upgrade. Details on how it was accessed were not revealed, but P&N said once the breach was noticed the system in question was immediately shut down.