P&N Bank has alerted customers of a data breach which has exposed a large amount of sensitive information.
According to information shared on Twitter by Australian security researcher @vrNicknack, the incident occurred on 12 December 2019 during a server upgrade to a third-party hosting provider.
— Nick (@vrNicknack) 15 January 2020
Since then, P&N has confirmed the incident.
The Australian bank, a division of Police & Nurses Limited, has informed customers that unknown threat actors have been able to access personal information stored within its Customer Relationship Management (CRM) system.
The affected system, according to P&N in the notice, has stored a large amount of personally identifiable information (PII) as well as other sensitive data, including names, addresses, email addresses, phone numbers, customer numbers, age, account numbers and balance, and other details that the bank refers to as non-sensitive.
Passwords, date of birth, health information, driver’s license numbers, passport numbers, social security numbers, tax file numbers and credit card numbers were not included in the breach, the bank says.
A P&N spokesperson confirmed that no customer bank accounts had been accessed by the attackers in the event.
“Upon becoming aware of the attack, we immediately shut down the source of the vulnerability,” P&N reveals.
The bank also states that the data breach did not cause the disappearance of customer funds, that credit card details were not compromised, and that account credentials were not revealed, because its central banking system is completely disconnected from the affected environment.
P&N has already told customers that it has advised regulators about the accident. The bank says it has been focusing on resolving the violation with West Australian Police Force (WAPOL), the hosting company concerned, specialist advisors, and regulators.
The bank has yet to provide details on the type of attack it has fallen victim to and the number of customers impacted.
“The cyber incident at P&N Bank illustrates how organizations can be susceptible to data breaches through their third parties. In this case, the bank was performing a server upgrade when attackers stole data through a hosting provider,” Elad Shapira, Head of Research for Panorays, told SecurityWeek in an emailed comment.
“Cyber-attacks such as this one, demonstrate why it’s not enough for organizations to assess their own systems; they must also assess the risk posed by connecting with third parties,” Shapira continued.
*Updated with response from P&N