Australia has been hit by a serious data breach that took place on December 12, 2019. The largest member-owned bank in Western Australia, P&N Bank has been affected, when its CRM system was accessed by threat actors as a consequence.
The most worrying aspect of the story is that the bank confirmed that personal customer information has been exposed, such as names, addresses, email addresses, phone numbers, customer numbers, age, account number, and account balance.
According to the official statement, “the information stored in this system does not contain passwords or other information such as Driver’s License number, Passport number, Social Security number, Tax File number, Credit Card number, birthdate, or any other sensitive or health information.”
How did the P&N Bank data breach happen?
The official statement says that “the criminal activity took place around 12 December 2019, via an attack during a server upgrade, on a third party company that P&N Bank engages to provide hosting services.”
Once the P&N Bank became aware of the attack, they quickly shut down “the source of the vulnerability”. Currently, the organizations is working with the federal authorities and independent experts to investigate the breach and protect their customers from further incidents.
Upon becoming aware of the attack, we immediately shut down the source of the vulnerability and have since been working closely with WAPOL, other federal authorities, our third-party IT provider involved, regulators and independent expert advisers to investigate and protect customers from any further risk.
In October last year, another data breach affected the Italian branch of UniCredit Bank. Apparently, this breach took place in 2015 and is related to a file from the same year containing emails and phone numbers of millions of Italians customers. The bank has spent 2.4 billion euros since 2016 to upgrade its systems and improve their protection mechanisms.
According to UniCredit’s official statement, the breached information didn’t contain any details that would allow access to customer accounts. The compromised data can’t be used to carry out unauthorized financial transactions, either.