According to this link, https://www.9news.com.au/national/nab-data-breach-privacy-human-error-australia-bank-news/881315dd-078f-4263-ba3b-c169771adc56, National Australia Bank Ltd says 13,000 customers are being contacted after a breach where personal data was uploaded without permission to two data service companies.
- The breach resulted from human error
- The data uploaded included customer names, date of birth, contact details and in some cases, government identity numbers
- The data service companies told NAB that information they receive is deleted within two hours however affected customers are still due to hear from the bank within the coming days
This breach illustrates that regardless of the number of technical controls in place, their effectiveness can be eradicated by human error.
This is why security controls should factor in accidents or insider threats. Additionally, educating and training users on security and privacy issues and best practices when it comes to handling sensitive data is of utmost importance. Otherwise, we can expect to continue to see breaches which could have otherwise been prevented.
Although NAB stated this was not a cyber security event but human error it still impacts the privacy and protection of customer information. Normal cyber security controls would have little impact on these types of issues. DLP policies could now be tightened, however this is just “closing the stable door after the horse has bolted”. The only way to quickly identify and block this sort of data breach (classified as a breach as it breaches NAB policies) would be using behaviour analytics to identify the anomalous behaviour and use automation and orchestration to automatically block the transactions or traffic flow.