P&N‌ Bank in West Australia (WA) is informing its customers that hackers may have accessed personal information stored on its systems following a cyber attack.

The financial organisation says in the breach notification sent to customers that the compromised system contained the following information: names, addresses, emails, age, customer and account numbers, as well as the account balance. All this counts as personally identifiable information that is protected under the Privacy Act in Australia. As many as 100,000 individuals may be impacted by the incident, which was labelled as “sophisticated” by Andrew Hadley, the bank’s chief executive officer. The attack did not target P&N‌ Bank directly. It occurred during a server upgrade around December 12, 2019, at a third-party that was offering hosting services to the organisation.

Funds, social security numbers, and data in identification documents (driver’s license, passport) were stored on a different system and are safe.

Experts Comments

January 16, 2020
Hugo Van den Toorn
Manager, Offensive Security
Outpost24
This again emphasises the importance of ensuring that our third-party vendors live up to our own organisation’s security standards. Your own organisation might be well secured, but if sensitive data is processed and stored elsewhere, the third party’s security should at least match your organisation’s security standards. Despite any precautions, the matter of the fact remains that no matter how secure an organisation is, breaches will happen. With our expanding reliance on third parties,.....Read More
This again emphasises the importance of ensuring that our third-party vendors live up to our own organisation’s security standards. Your own organisation might be well secured, but if sensitive data is processed and stored elsewhere, the third party’s security should at least match your organisation’s security standards. Despite any precautions, the matter of the fact remains that no matter how secure an organisation is, breaches will happen. With our expanding reliance on third parties, the best defence is to rapidly be able to pinpoint what happened, where it happened, how it happened and to ensure it will not happen again.  Read Less
January 16, 2020
Elad Shapira
Head of Research
Panorays
The cyber incident at P&N Bank illustrates how organizations can be susceptible to data breaches through their third parties. In this case, the bank was performing a server upgrade when attackers stole data through a hosting provider. As a result, customer information such as names, addresses, email addresses, account numbers and balances may have been compromised. Cyberattacks such as this one, demonstrate why it’s not enough for organizations to assess their own systems; they must also.....Read More
The cyber incident at P&N Bank illustrates how organizations can be susceptible to data breaches through their third parties. In this case, the bank was performing a server upgrade when attackers stole data through a hosting provider. As a result, customer information such as names, addresses, email addresses, account numbers and balances may have been compromised. Cyberattacks such as this one, demonstrate why it’s not enough for organizations to assess their own systems; they must also assess the risk posed by connecting with third parties.  Read Less
January 16, 2020
Robert Capps
VP
NuData Security
With the data stolen, customers are the primary targets for cybercriminals, who will use their information to take over accounts the victims have with other online companies. There is also the risk of impersonation by bad actors who will create new accounts with the victim’s information or open up new credit lines. With even SIN numbers stolen, companies and government services need to step up their verification requirements as a SIN number is not a secret code anymore. For online banks and.....Read More
With the data stolen, customers are the primary targets for cybercriminals, who will use their information to take over accounts the victims have with other online companies. There is also the risk of impersonation by bad actors who will create new accounts with the victim’s information or open up new credit lines. With even SIN numbers stolen, companies and government services need to step up their verification requirements as a SIN number is not a secret code anymore. For online banks and other organizations, more technologies are needed to verify legitimate customers from imposters. New technologies like behavioral analytics and passive biometrics are being leveraged to protect businesses and their customers from account takeover by recognizing customers’ online behavior instead of basing a decision on a password, SIN or another credential. Hackers are not able to mimic inherent user behavior online, making stolen credentials valueless.  Read Less
January 17, 2020
Kayla Gesek
Product Manager
OneLogin
It’s unfortunate that P&N fell victim to an attack like this, but it’s all too common these days. The best thing victims can do to protect from further abuse is make sure they have 2-factor authentication enabled, especially for sensitive information like banking data. Also, they should create a habit of using unique passwords. This will help from impacting any other accounts where they may have reused their password.
January 16, 2020
James Carder
Chief Information Security Officer & Vice President
LogRhythm Labs
In 2019, cyberattacks hit financial services firms 300 times more than other companies in the past year, according to a 2019 report from Boston Consulting Group (BCG). Financial institutions continue to be a very attractive target for cyber criminals due to the large amounts of sensitive customer data collected and stored. Banks, such as P&N, must be aware of the evolving types of threats and the vulnerabilities that exist across their networks in order to protect customers’ data. Security.....Read More
In 2019, cyberattacks hit financial services firms 300 times more than other companies in the past year, according to a 2019 report from Boston Consulting Group (BCG). Financial institutions continue to be a very attractive target for cyber criminals due to the large amounts of sensitive customer data collected and stored. Banks, such as P&N, must be aware of the evolving types of threats and the vulnerabilities that exist across their networks in order to protect customers’ data. Security visibility and monitoring of systems, even those hosted outside of a network, are critically important. As with the case of this breach, P&N Bank relied on an outside party to host systems with sensitive data without having the visibility necessary to ensure that the third party had the proper security controls and processes in place to protect the data. Even if the breach was caused by the third party, the financial institutions’ brand image and accountability are still directly associated with their customers. Organizations need to include security controls and protections within contracts when partnering with third parties. This will not only limit a company’s liability if a breach were to occur, but it will also test the third party’s adherence to those controls and enable a company to monitor the controls themselves.  Read Less
What do you think of the topic? Do you agree with expert(s) or share your expert opinion below.
Be part of our growing Information Security Expert Community (1000+), please register here.