Breach Notification , Digital Identity , Finance & Banking
NAB Apologizes After Breach of Personal DataAustralian Bank Says Customer Data Sent to Two Service Providers
National Australia Bank says it is contacting 13,000 customers after personal account data was uploaded without authorization to two data service providers.
See Also: Live Webinar | Breaking Down Security Challenges so Your Day Doesn’t Start at 3pm
NAB, one of the four largest banks in the country, made the announcement late on Friday afternoon.
The data included customer names, birth dates, contact details and government-issued identification numbers such as a driver’s license or passport. Customers will be contacted either on the phone, by email or postal mail.
“There is no evidence to indicate that any of the information has been copied or further disclosed,” NAB says in a notice to customers.
NAB says that the data services companies, which have not been identified, say that data provided to them is deleted within two hours. No account log-in details or passwords were affected.
“We take the privacy and the protection of customer information extremely seriously and I sincerely apologise to affected customers,” says NAB’s Chief Data Officer Glenda Crisp in the notice. “We take full responsibility. The issue was human error and in breach of NAB’s data security policies.”
NAB says it has notified the Office of the Australian Information Commissioner, which is the national data regulator. The OAIC oversees the enforcement of the Notifiable Data Breaches scheme, which by law requires certain types of data breach to be reported to those affected and to the government.
The Human Problem
Human error is responsible for a surprisingly high percentage of data breaches.
The OAIC publishes quarterly statistics on data breaches that have been reported to the government. Its latest report in May attributed 35 percent of 215 incidents to human error, making it the second largest category behind malicious or criminal attacks. The report covers the first three months of this year.
Acts attributed to human error range from losing paperwork or storage devices, to email addressing mishaps to accidentally releasing or publishing personal information. Misaddressing email accounted for most incidents, followed by releasing or publishing data by mistake.
The OAIC also breaks down the top five industries that had the most breaches attributed to human error. For the latest quarter, those were the healthcare industry followed by finance, legal and accounting, education and retail.
New Driver’s License?
NAB says it will cover the cost to get new government ID documents issued, such as a passport or driver’s license. It will also pay for independent fraud detection services.
A NAB spokeswoman tells ISMG that the offer is not contingent on people proving they are ID theft victims. A person’s driver’s license number is one of the most common bits of identification that is asked for when creating accounts or taking out loans.
Despite the widespread use of driver’s license numbers for identification, it isn’t easy and sometimes impossible to change a number, depending on the state where someone lives.
There are two numbers on a license: a license number and a card number. Replacing a license may cause the card number to change but not the license number, which is used for identification, according to IDCare, a Queensland-based charity that assists identity theft victims.
Fraud victims in the states of Victoria and Queensland can request a new license number, but they also have to prove they were victims of a crime, IDCare says. In most states, however, obtaining a new license number isn’t possible.
In May the ABC reported the troubles of three ID theft victims in New South Wales. All said their driver’s license numbers were used for fraud. One victim unsuccessfully sought to get a new driver’s license number through the state’s Roads and Maritime Services. Passports, however, are reissued with new numbers, IDCare says.