Community-owned bank discloses the hacker attack that may have exposed data of 100K customers
Police & Nurses Credit Society, the community-owned credit institution, has recently announced about the loss of sensitive data which was obtained back in December, when the hacker accessed bank systems during the server upgrade on an outside hosting service.[1] Also known as P&N bank, the institution has about 96,000 customers who all are under the risk of identity theft and similar risks. Many of them are nurses and police officers, even though services are provided to the public at large.[2]
As the official statement issued on January 16 suggests, hackers accessed data stored on the bank’s customer relationship management platform that was separated from the core banking system.[3] However, plenty of personal details got exposed, including names, addresses, emails, phone numbers, and customer IDs, age, account number, and balance. These records of interactions with customers may also include non-sensitive data.
Officials are still stating that passwords, social security numbers, passport, driver license numbers, and more sensitive information about customers’ health are not stored on the server that got initially accessed:
P&N Bank’s core banking system is completely isolated and separate from the impacted system.
The attack occurred during a server upgrade
P&N Bank engages with a third-party company to provide hosting services. Officials report that the criminal activity took place during the system upgrade on a separate host around 12 December 2019. When the hacking was spotted, the source of the vulnerability got shut down immediately to avoid further damage, but personal information possibly got obtained.
Since then, P&N Bank started to work with the West Australian Police Force and other federal authorities, IT providers and independent experts, advisers. The investigation is still ongoing, so there is not much information about the breach. However, the company tries to protect customers from any further risks and possible issues, as CEO of P&N Bank states:
The safety and security of our members’ information and funds is our highest priority. Data protection continues to be a focus around the world, and financial systems will always present some degree of risk, so it is important to stress that in line with best practice, we have highly sophisticated security measures and controls in place to protect our customers’ accounts.
Many sensitive details and identifiable information got exposed
The issue of information breach was addressed in emails that customers received on Wednesday.[4] However, the breach was discovered a month ago, so customers are not happy with such poor management and the fact that there is no information on how many customers have been affected in total.
All information, reportedly stored on the accessed system, is considered to be personally identifiable and is protected by Privacy Act on Australia.[5] Data like age, names, emails, and addresses can be potentially valuable for hackers and even misused by them in malicious campaigns or highly targeted scams.[6]
Since 100 000 is the official number of customers, they all can be impacted by the incident, even though the attack was not targeting the bank directly and was discovered during a server upgrade. Nevertheless, Andrew Hadley, the CEO of P&N Bank, called this cyberattack sophisticated.