AUGUST has been a smooth month for data breaches, with a rounded sum of 114 million breached records.
That is nearly 10 per cent of the monthly average. But that number comes from about 95 incidents, which is the highest of data breach numbers we have had all year.
The latest in the line is a PayID hack that left thousands of bank accounts at the risk of cyberattacks. The issue was revealed by Australia’s New Payments Platform (NPP), the firm co-owned by thirteen financial groups, including Reserve Bank of Australia (RBA), in consultation with the ‘BIG FOUR’ banks – the Commonwealth Bank of Australia (CBA), the Australia and New Zealand Banking Group (ANZ), the National Australia Bank (NAB), and Westpac, which hold the entire Australian finance industry’s about 95 per cent market share among them.
What Sparked The Problem?
Over the past years, Aussie banks were plaguing with one scandal after another; this time, the hack arose from one of the NPP banks that was secured by the payments provider Cuscal Limited.
The seized data included the PayID name and account numbers.
“Client-side technical issue” was the one blamed for the disclosure.
PayID – Was It The Real Target?
PayID is just that unique, user-specific number, registered with each customer’s bank, and connected to a nominated bank account. This facilitates customers to make payments by quoting non-bank details like an email address or phone number, instead of having to retain in mind their account and BSB numbers.
To make it simpler – it is something like finding a person by merely entering his mobile number on the Facebook search bar!
PayID can only be utilised to put money into an account, and not to take money out. So, here arises the next question…
What Is The Point Of The Breach Then?
Cybercriminals were unable to use the PayID account names and numbers they received to withdraw cash from bank accounts.
But, they could use this data to send emails and texts to the account holders. They could include a website link and a request for the account holder to verify his identity, in the message.
Be informed – this is a clear cut form of PHISHING, where the scammers endeavour to trick people into transferring their personal info required to access bank accounts.
What NNP Says?
The financial sector is the second most-breached industry after healthcare in Australia, as per the Office of the Australian Information Commissioner (OAIC) statistics based on the reports received under the Notifiable Data Breaches (NDB) scheme.
With this episode being the second to hit PayID since June-2019 when Westpac was targeted with one of the most consequential abuses of PayID’s address lookup function, NNP has underscored how crucial is cybersecurity to all its endeavours.
These crimes are not just made by fellows who download and use a few pieces of malicious software from the murky web, but well-organised attacks that can penetrate all the existing information security barriers of financial organisations.
As cyber invaders continue to discover innovative approaches to breach cyber defences, organisations should give themselves the best chances of protecting client data by making sure that they adopt a strategic approach towards data security.
Need advice? Get in touch with CYBERNETIC GI – a cybersecurity company with years of experience in helping Australian businesses confront malicious attacks.