By Roger Baird on Thursday 22 August 2019
Mobile and online system, the New Payments Platform, said customer data at one of the financial firms in its system had been breached.
Australians are being warned about the second major banking breach in three months.
Customers bank PayID codes were “exposed by a vulnerability” at a financial services firm in the Australian banking system, according to the New Payments Platform, a real-time payments platform owned by 13 major financial firms such as ANZ, Commonwealth Bank and National Australia Bank.
PayID codes are used by consumers in mobile and online banking to authorise real-time payments, which avoid customers having to remember bank-state-branch numbers and their account number. A PayID code is only supposed to be known by the customer and their bank.
The New Payments Platform said it was informed about the issue last Friday, adding in a statement that the “technical issues underlying the exposure were identified and resolved immediately”.
Account numbers at risk
The platform did not disclose which financial firm was responsible for the breach.
It added: “The affected data included PayID name and account numbers. None of the details involved can, on their own, enable the withdrawal of funds from a customer’s account without the customer’s specific further involvement.”
The New Payments Platform said affected customers were being notified.
In June, the details of almost Westpac 100,000 bank customers were exposed in a cyber attack that targeted PayID codes at the country’s second-largest bank by market value.
"Westpac can confirm we had detected misuse of the [New Payments Platform's] PayID functionality and we took additional preventative actions which did not include a system shutdown," a bank spokesman said at the time. "No customer bank account numbers were compromised as a result.”