Banks have begun to warn customers of a new PayID data breach, which was reported late Friday to the NPP Australia new payment platform supervision.
NPP Australia said that an unrevealed number of PayID records “and associated data in the Addressing Service were exposed by a vulnerability in one of the financial institutions sponsored into the NPP by Cuscal Limited.”
“Cuscal has confirmed that the client-side technical issues underlying the exposure were identified and resolved immediately,” it said in an advisory.
“The affected data included PayID name and account numbers.
“None of the details involved can, on their own, enable the withdrawal of funds from a customer’s account without the customer’s specific further involvement.”
A Cuscal spokesperson told iTnews that the unspecified client of Cuscal “experienced a spike in PayID enquiries and resolutions via a number of customer accounts.”
However, the spokesperson said that “no financial transactions took place in this process and the issue has been remediated” and that “technology changes were made by the client immediately to prevent any further PayID data and to reduce the risk of PayID data being inappropriately obtained by others in the future.”
“As a shareholder Participant and sponsor of Identified Institutions in the NPP, Cuscal takes our role seriously, and we will continue to monitor and support this highly valued service,” its spokesperson said.
NPP Australia stated that financial institutions “whose customer information has been provided so that they are able to take the necessary action, including customer notification and improved due diligence on affected accounts.” It was understood that this is why CBA customers last night received data infringement notifications, which revealed “a sophisticated attack on anointing
CBA’s notice stated that “customers whose personal information has been disclosed to third parties through a sophisticated PayID scam have been proactively contacted.”
It suggested information such as mobile numbers, email address, customer name, BSB and account numbers. CBA confirmed on social media that e-mails after customer questions are legitimate. This occurrence is the second incident to occur on PayID since June when Westpac was targeted by a major abuse of the address search function of PayID.
NPP Australia stated that the two incidents would lead to increased safety safeguards for system users.
“Cybersecurity is an issue of paramount importance to NPP Australia,” it said.
“As part of our ongoing commitment to uplifting cybersecurity controls across the NPP ecosystem and following a similar event in June, we recently commenced implementation of more targeted cybersecurity requirements upon participating institutions, increasing assurance requirements and testing endpoint security to ensure that the controls are executed as intended.”
Cuscal stated that both the Australian Prudential Regulation Agency (APRA) and the Australian Information Commissioner Office (OAIC) had been notified.