3rd Party Risk Management , Governance & Risk Management , Incident & Breach Response
Aussie Bank Says Server Upgrade Led to Data BreachThird-Party Hosting Provider to Blame, P&N Bank Says
P&N Bank in Perth, Australia, says a server upgrade gone wrong led to the breach of sensitive personal information in its customer relationship management system.
See Also: LIVE Webinar | Stop, Drop (a Table) & Roll: An SQL Highlight Discussion
The CRM system contains names, mailing addresses, email addresses, phone numbers, customer numbers, ages, account numbers, account balances and what the bank described as other “nonsensitive” data related to interactions with customers.
“We are treating this information breach extremely seriously, and while we believe no one has been exposed to financial risk, I do wish to convey my deepest and sincere apologies for any concern that may be caused,” writes P&N Bank CEO Andrew Hadley.
The attack has not caused the loss of any customers’ funds, access to credit card details nor access to online banking passwords, Hadley writes.
The breach came to light after one of P&N’s customers posted a screenshot of an email notification sent to those affected. The West Australian newspaper put the number of those affected at about 100,000.
@troyhunt "non-sensitive" is not what I would have used to described my breached data from P&N Bank! Received this notice 15mins ago. pic.twitter.com/BywQtf6qSE— Nick (@vrNicknack) 15 January 2020
Hadley writes that incident occurred around Dec. 12. The attack affected a third-party company that P&N Bank uses for hosting services. That company, which the bank declined to identity, was undergoing a server upgrade, he writes.
“Upon becoming aware of the attack, we immediately shut down the source of the vulnerability and have since been working closely with WAPOL [Western Australia Police Force], other federal authorities, our third-party IT provider involved, regulators and independent expert advisers to investigate and protect customers from any further risk,” he writes.
A scan of Domain Name System records using SecurityTrails, an investigative tool for network infrastructure, shows that P&N Bank has had relationships with a variety of hosting providers over the years, including Amazon; Melbourne IT, which now part of Arq Group; and Amnet Party Ltd., which is part of Vocus Group.
But it’s difficult to determine which company may have been involved, or whether the fault lies with an application service provider rather than web hosting. The bank didn’t respond to further questions.
"We are treating this information breach extremely seriously, and while we believe no one has been exposed to financial risk, I do wish to convey my deepest and sincere apologies for any concern that may be caused."
—P&N Bank CEO Andrew Hadley
A spokesman for the bank said it has notified the Office of the Australian Information Commissioner, Australia’s data protection regulator. In 2017, Australia’s Parliament passed a mandatory breach notification law, which has been enforced since February 2018 (see: Australia Enacts Mandatory Breach Notification Law). The law requires companies with more than $3 million in annual revenue and government agencies covered by the Privacy Act 1988 to report breaches to regulators and those affected within 30 days or face fines.
P&N Bank’s misfortune falls in line with what security experts consistently warn about third-party risk (see: Why Is Third-Party Risk Management So Complex?).
The Australian Cyber Security Center, which is part of the Australian Signals Directorate, warned in June 2019 that if vendors aren’t properly managed, one can “transfer unreasonable risk to your system.”
“Know what makes a vendor high risk,” the ACSC says. “A high-risk vendor is any vendor that, by nature of the product or service they offer, has a significant influence over the security of your system. That vendor can be subject to adverse extrajudicial direction, or the vendor’s poor cyber security posture means they are subject to adverse external interference.”
The ACSC recommends four steps. Those include evaluating systems' business value to calculate risks. Also, risk assessments should be performed with an understanding of how a system could be exploited and an awareness of current threats.
It may be necessary to re-architect a system in order to reduce the risks. Risks can be reduced by picking vendors with a strong cybersecurity commitment, it says. Lastly, supply chains and controls should be monitored.
“Your supply chain and the systems they support will change over time,” the ACSC says. “Regularly monitor and review your SCRM [supply chain risk mangement] and the controls. Ensure that the whole organization supports a secure supply chain and any incidents are reported in a consistent manner.”