P&N Bank in West Australia (WA) is informing its customers that hackers may have accessed personal information stored on its systems following a cyber attack.
The financial organisation says in the breach notification sent to customers that the compromised system contained the following information: names, addresses, emails, age, customer and account numbers, as well as the account balance. All this counts as personally identifiable information that is protected under the Privacy Act in Australia. As many as 100,000 individuals may be impacted by the incident, which was labelled as “sophisticated” by Andrew Hadley, the bank’s chief executive officer. The attack did not target P&N Bank directly. It occurred during a server upgrade around December 12, 2019, at a third-party that was offering hosting services to the organisation.
Funds, social security numbers, and data in identification documents (driver’s license, passport) were stored on a different system and are safe.
It’s unfortunate that P&N fell victim to an attack like this, but it’s all too common these days. The best thing victims can do to protect from further abuse is make sure they have 2-factor authentication enabled, especially for sensitive information like banking data. Also, they should create a habit of using unique passwords. This will help from impacting any other accounts where they may have reused their password.
This again emphasises the importance of ensuring that our third-party vendors live up to our own organisation’s security standards. Your own organisation might be well secured, but if sensitive data is processed and stored elsewhere, the third party’s security should at least match your organisation’s security standards. Despite any precautions, the matter of the fact remains that no matter how secure an organisation is, breaches will happen. With our expanding reliance on third parties, the best defence is to rapidly be able to pinpoint what happened, where it happened, how it happened and to ensure it will not happen again.
The cyber incident at P&N Bank illustrates how organizations can be susceptible to data breaches through their third parties. In this case, the bank was performing a server upgrade when attackers stole data through a hosting provider. As a result, customer information such as names, addresses, email addresses, account numbers and balances may have been compromised. Cyberattacks such as this one, demonstrate why it’s not enough for organizations to assess their own systems; they must also assess the risk posed by connecting with third parties.
With the data stolen, customers are the primary targets for cybercriminals, who will use their information to take over accounts the victims have with other online companies. There is also the risk of impersonation by bad actors who will create new accounts with the victim’s information or open up new credit lines. With even SIN numbers stolen, companies and government services need to step up their verification requirements as a SIN number is not a secret code anymore. For online banks and other organizations, more technologies are needed to verify legitimate customers from imposters. New technologies like behavioral analytics and passive biometrics are being leveraged to protect businesses and their customers from account takeover by recognizing customers’ online behavior instead of basing a decision on a password, SIN or another credential. Hackers are not able to mimic inherent user behavior online, making stolen credentials valueless.
In 2019, cyberattacks hit financial services firms 300 times more than other companies in the past year, according to a 2019 report from Boston Consulting Group (BCG). Financial institutions continue to be a very attractive target for cyber criminals due to the large amounts of sensitive customer data collected and stored. Banks, such as P&N, must be aware of the evolving types of threats and the vulnerabilities that exist across their networks in order to protect customers’ data.
Security visibility and monitoring of systems, even those hosted outside of a network, are critically important. As with the case of this breach, P&N Bank relied on an outside party to host systems with sensitive data without having the visibility necessary to ensure that the third party had the proper security controls and processes in place to protect the data. Even if the breach was caused by the third party, the financial institutions’ brand image and accountability are still directly associated with their customers.
Organizations need to include security controls and protections within contracts when partnering with third parties. This will not only limit a company’s liability if a breach were to occur, but it will also test the third party’s adherence to those controls and enable a company to monitor the controls themselves.