Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Data Protection

P&N Bank Data Breach Exposes Trove of User Data

P&N Bank has notifed customers of a data breach that resulted in a large amount of sensitive information being compromised. 

P&N Bank has notifed customers of a data breach that resulted in a large amount of sensitive information being compromised. 

According to information shared on Twitter by Australian security researcher @vrNicknack, the incident took place on December 12, 2019, during a server upgrade on a third-party hosting provider. 

P&N has since confirmed the incident.

The Australian bank, a division of Police & Nurses Limited, informed customers that unknown threat actors managed to access personal information stored within its customer relationship management (CRM) system. 

The affected system, P&N says in the notice, stored a great deal of personally identifiable information (PII), as well as other sensitive data, including names, addresses, email addresses, phone numbers, customer numbers, age, account numbers and balance, and other details, which the bank refers to as non-sensitive. 

Passwords, birthdate, health information, driver’s license numbers, passport numbers, social security numbers, tax file numbers, and credit card numbers were not included in the breach, the bank says. 

A P&N spokesperson confirmed to SecurityWeek that no customer bank accounts were ever accessed by the attackers in this incident.

“Upon becoming aware of the attack, we immediately shut down the source of the vulnerability,” P&N reveals. 

Advertisement. Scroll to continue reading.

The bank also says that, because its core banking system is completely isolated from the impacted system, the data breach did not cause the loss of customer funds, that credit card details were not accessed, and that banking passwords were not exposed. 

P&N told customers it has already informed authorities on the incident. The bank says it has been working with West Australian Police Force (WAPOL), the involved hosting provider, expert advisers, and regulators on investigating the breach. 

The bank has yet to provide information on the type of attack it fell victim to and the number of affected customers. 

“The cyber incident at P&N Bank illustrates how organizations can be susceptible to data breaches through their third parties. In this case, the bank was performing a server upgrade when attackers stole data through a hosting provider,” Elad Shapira, Head of Research for Panorays, told SecurityWeek in an emailed comment. 

“Cyber-attacks such as this one, demonstrate why it’s not enough for organizations to assess their own systems; they must also assess the risk posed by connecting with third parties,” Shapira continued. 

*Updated with response from P&N

Related: Capital One Discloses Massive Data Breach: 106 Million Impacted

Related: Dixons Fined by UK Regulator Over Data Breach

Related: Cloud(y) with a Chance of a Data Breach

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

People on the Move

Former DoD CISO Jack Wilmer has been named CEO of defensive and offensive cyber solutions provider SIXGEN.

Certificate lifecycle management firm Sectigo has hired Jason Scott as its CISO.

The State of Vermont has appointed John Toney as the state’s new CISO.

More People On The Move

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Data Protection

The cryptopocalypse is the point at which quantum computing becomes powerful enough to use Shor’s algorithm to crack PKI encryption.

Artificial Intelligence

The CRYSTALS-Kyber public-key encryption and key encapsulation mechanism recommended by NIST for post-quantum cryptography has been broken using AI combined with side channel attacks.

Data Breaches

LastPass DevOp engineer's home computer hacked and implanted with keylogging malware as part of a sustained cyberattack that exfiltrated corporate data from the cloud...

Compliance

The three primary drivers for cyber regulations are voter privacy, the economy, and national security – with the complication that the first is often...

Incident Response

Microsoft has rolled out a preview version of Security Copilot, a ChatGPT-powered tool to help organizations automate cybersecurity tasks.