P&N Bank has revealed that during a server upgrade it was struck by a cyber attack, exposing the personally identifiable information (PII) of its customers.
P&N Bank has begun alerting its customers about an “information breach”, to which they explain that on December 12, 2019 a cyber attack took place during a server upgrade. It is believed that the entry point was a third party company that P&N engages with to provide hosting services.
Security researcher, @vrNicknack on Twitter, notified Troy Hunt, founder of haveibeenpwned, on Twitter about a notice he had received from the bank.
Possible compromised information include names, addresses, email addresses, phone numbers, customer numbers, age, account numbers, account balance, and other non-sensitive information.
Passwords, Social Security numbers, credit card numbers, passport details or driver’s license, Tax file numbers and dates of birth have not been compromised.
It is currently not known as to how many customers have been impacted.
“Upon becoming aware of the attack, we immediately shut down the source of the vulnerability and have since been working closely with WAPOL [West Australian Police Force], other federal authorities, our third-party IT provider involved, regulators and independent expert advisers to investigate and protect customers for any further risk,” read the notice.
P&N Bank remains confident that the attack has not caused the loss of any customer funds; has not enabled third parties to access customer credit card details; and not compromised any banking passwords.
“Data protection continues to be a focus around the world, and financial systems will always present some degree of risk, so it is important to stress that in line with best practice, we have highly sophisticated security measures and controls in place to protect our customers’ accounts.”