NAB leaks personal data of 13,000 customers in embarrassing snafu

NAB

National Australia Bank. Source: AAP/Mick Tsikas.

National Australia Bank (NAB) has become embroiled in its second significant data breach in three years, revealing the names and contact details of about 13,000 customers were accidentally shared with two data service companies.

Dates of birth, and in some cases, government-issued identification numbers such as drivers’ licences, were also inadvertently uploaded to third-party servers, the bank conceded last Friday.

The third-party data service providers have told NAB they deleted all the information they were sent “within two hours”, while the bank claims there’s “no evidence” to suggest the data was further copied or disclosed.

The bank found out about the breach on Wednesday and has mobilised significant internal resources to contact two-thirds of the affected parties over the last three days.

The breach is the second significant leak of consumer data to flow from NAB in the last three years. Back in 2017, human error saw it send the personal details of 60,000 clients to a business person who hosts adult websites.

NAB chief data officer Glenda Grisp was called up to deliver an apology to customers last Friday, but chose not to characterise the breach as a cyber security issue, despite conceding the bank’s data security policies were breached.

“The issue was human error and in breach of NAB’s data security policies,” Crisp said in a statement.

“I sincerely apologise to the affected customers. We take full responsibility,” she said.

The bank has contacted the office of the Australian Information Commissioner and is in the process of calling, emailing or writing to affected customers.

NAB has offered to cover the cost of re-issuing government identification for affected customers, alongside costs associated with “enhanced fraud detection identification”.

It’s not the first time a business, large or small, has found itself dealing with a data breach as a result of human error.

The capacity for human error is routinely highlighted by experts as one of the primary cyber security risks facing companies.

Last year, Woolworths-owned BIG W leaked the personal information of 32 customers when a worker placed confidential information in a pile of test print-outs provided to a customer.

Andrew Bycroft, chief executive of the International Cyber Resilience Institute, has told SmartCompany the role of human error addressing risks remains the key digital security challenge facing businesses in Australia and elsewhere.

“Businesses think it’s actually a technology problem that can be solved by tech … but it’s a human crime,” Bycroft has said.

NOW READ: ATO warning as $800,000 stolen: Are data breaches fuelling sophisticated scams?

NOW READ: “Marketing fluff”: What startups can learn from Canva’s data-breach response

COMMENTS