Australian Banks Security Breach, as Revealed by a Freedom of Information Request

Not all countries in the world have a Freedom of Information Law, however, for those that have, it is highly recommended to the citizens to take advantage of it. There are certain stories that will never rise into the public’s consciousness if Freedom of Information Law does not exist. This scenario exactly what happened in Australia, as it was revealed through a Freedom of Information request. Westpac has admitted that it had 18 security breaches from January 2012 to April 2018. Other three large banks are not exempted from data breaches, Commonwealth Bank had three, NAB had nine and ANZ had two. Cybersecurity is a huge problem in the banking sector, as they are the favorite targets of cybercriminals using the principle: “follow the money.”

The information of a huge ANZ data breach is revealed in Scribd page, where detailed blow-by-blow accounts were enumerated for everyone to see. “Two ANZ employees contacted ANZ’s payroll department to seek their own personal information. The payroll department inadvertently sent by email to each of the 2 employees a batch file containing not only their personal employment information but that of approximately 100 other ANZ employees. The information in question included names, job titles, salaries, tax file numbers. The recipients have stated that they have not disseminated the information, and have deleted the files. ANZ has shut down the ability for the payroll department to send attachments of this type by email, and has directed that all future requests for employment information from the payroll department be fulfilled in hard copy,” said by Timothy Pilgrip, Acting Australian Information Commissioner.

Westpac also had a controversial security breach which was caused by one of their employees who released 80 customer login credentials to a mortgage broker named Marten Pudun, a former relationship manager. Westpac replied with a generic response: “We initially identified this with respect to some Westpac customers who obtained home loans through this particular mortgage broker group and relates to temporary passwords established when the customer originated their online banking. We are also making an ex gratia offer to both customers to reflect the seriousness in which we are handling this matter. When we make mistakes, we make sure we put it right by remediating affected customers, informing all relevant authorities, making process changes to prevent similar incidents, and where necessary, taking disciplinary action against employees who are found to have done the wrong thing in accordance with our Westpac Group Code of Conduct.”

Australia is trying to remedy the growing number of data breaches, starting in April 2018, banks “must” report privacy breaches to the Australian Information Commissioner. This is almost similar to how the European Union deal with victims of data breaches through the regional GDPR Law. This is basically Australia, taking the matter in its own hands and copying the successful implementation of the European GDPR in its local banking scene. “One of the fastest growing areas of litigation in America, and it’s starting here now, is privacy class actions. So a bank may find themselves as a defendant in a privacy class action, where the class of the individuals is seeking compensation or redress,” said Michael Rivette, a privacy law practitioner in Australia.