Major privacy and security breaches confirmed this week: Westpac, the ANU and Princess Polly targeted

By Cameron Abbott, Allison Wallace and Rebecca Gill

It’s been a chilly start to winter for three Australian organisations, who’ve this week reported major privacy and security breaches.

Up to 100,000 Australians’ personal information has been exposed in a hack affecting Westpac Bank. Westpac confirmed on Monday that details of Australian bank customers (not just those of Westpac) were exposed in a cyberattack on real time payments platform PayID. The banking giant says it noted a high volume of PayID lookups in 2019 on a semi-daily basis, which was a result of attackers trying to guess phone numbers, which, if guessed correctly, would give them the name of the account holder to which the number is linked. Despite the hack, Westpac says that no customer bank account details were compromised as a result of this cyberattack. Nevertheless, experts warn that the details accessed could still be used to commit fraud.

In another significant incident, ANU emailed students, staff and alumni to notify them of a cyberattack affecting 19 years’ of personal data. The university reported that its systems were accessed illegally in late 2018, with the personal information including names, addresses, tax file numbers and academic records accessed. The pure size of the breach is just one concerning element – many public servants in Canberra attended ANU, with the university also home to several schools and colleges frequented by government officials for short courses.

Finally, Australian fashion e-tailer, Princess Polly, also suffered a data breach that potentially involved customers’ personal and payment information being exposed to an “unidentified third party”. The data breach is said to have occurred between 1 November 2018 and 29 April 2019, but was only discovered more recently. Customers’ payment information was accessed by the third party as customers were typing in their credit card details to make a purchase. The attacker(s) may have also accessed customers’ billing and shipping information, usernames and passwords.

We are finding that it is becoming increasingly common for organisations to discover security breaches likes these much later than the time of the actual breach. By the time a breach is identified, individuals’ personal information may be compromised and used for personal gains by the attackers. As always, these breaches should serve as a timely reminder for you to check what your organisation is doing to protect itself and your customers – and what more you can do or should be doing to mitigate the effects of a potential cyberattack.

Copyright © 2019, K&L Gates LLP. All Rights Reserved.