A major cyber security breach has seen the private details of almost 100,000 Westpac customers exposed after the bank’s system was attacked by hackers.
Cyber criminals targeted the real-time payments platform PayID, which allows the instant transfer of money between banks using either a mobile number or email address.
PayID allows anyone to enter a mobile number or email address to confirm the name of the corresponding account holder, which can put Aussies at of an enumeration attack – when a malicious actor uses brute-force to either guess or confirm valid users in a system.
The attack on Westpac also affects customers from other banks.
Westpac confirmed the attack, but would not give exact how many Australians had been affected.
“Westpac can confirm we had detected mis-use of the PayID functionality and we took additional preventative actions which did not include a system shutdown,” a spokesman told SMH.
“No customer bank account numbers were compromised. “There has been no further inappropriate activity detected.” In a confidential memo obtained by the Sydney Morning Herald and The Age, the bank said there was a “high level” of PayID lookups was made from seven compromised Westpac Live accounts.
“[Around 98,000] of the lookups successfully resolved to a short name and this was displayed to the fraudster,” the email read.
It added attacks were “continuing on a semi-daily basis” with hackers “trying phone numbers in a semi-sequential manner”.
Nine finance editor Ross Greenwood said the breach raises questions whether customers should be using the Pay ID system at all.
“I suggest that there is going to be a pause on this Pay ID system until people can really be certain that their data won’t be breach and their name and telephone number are not linked and sent out,” he told Today.
He added while there may not have been money taken as a direct result of the attack, cyber criminals are getting sensitive information about customers that “could see secondary hacks of those people”.