IT expert says NAB's response to privacy breach is "odd"

One of Australia's leading digital security experts has questioned the National Australia Bank's handling of a data breach that resulted last week in the leaking of 13,000 customer files to two external data service companies.

Dr Roger Clarke, the principal of IT security and privacy consultancy Xamax, described aspects of NAB's public explanation of the data breach as "odd", saying it raised doubts about the professionalism of bank staff managing the incident.

One of the matters of concern to Clarke is the lack of assurance given to NAB by the data companies about what happened to the information.

The bank said in a press release issued last Friday that NAB security teams contacted the companies and were advised "that all information provided to them [the data companies] is deleted within two hours".

"If that's all that NAB staff asked about, then either their professionalism is seriously inadequate, or they're reckless," Clarke said.

NAB's disclosure merely confirmed the two companies' policies and procedures for dealing with received data, rather than amounting to an attestation that the customer information was actually deleted.

Banking Day yesterday sought confirmation from NAB that the security teams' inquiries might have delved deeper into what happened to the data but a bank spokesman said he was unable to comment.

Clarke said the bank needed to establish that the data was not copied before it was deleted and he raised the possibility that back up processes at each of the data companies could have resulted in replication of the customer information.

NAB also needed to find out that there was no unauthorised access to the data.

The bank faced the risk that each of the data service companies might not be able to give written assurances to NAB and the Office of the Australian Information Commissioner that no customer files were accessed or copied.

Clarke suggested that most data service companies have systems in place to inspect unsolicited information delivered to their computer servers.

"Unsolicited arrivals at a server need to be treated as infectious, quarantined and inspected," he said.

"We seem to have no information about whether that occurred."

Clarke questioned whether the data service companies kept no copies of data sent to their computer systems because, in some cases, duplication might be required to investigate any subsequent enquiries or complaints.

Copying the data might also be necessary for data companies to defend themselves against any potential legal actions.

Clarke said NAB's decision not to disclose the identity of the data service companies might indicate that the incident was serious.

"The risks are materially different depending on who the data service companies are, where they are and why they are recipients of such data," he said.

"It's therefore completely inadequate to an understanding of the significance or otherwise of the matter for the bank to refuse to disclose the companies' identities.

"Furthermore, it raises the spectre that the matter was at the serious end of the spectrum and or that naming the companies would draw attention to the existence of data flows that the public is unaware of."

The data breach is the latest in a string of operational failures at NAB since 2013 that have drawn special attention to its risk culture from the Australian Prudential Regulation Authority.

In a self-assessment of its governance and culture in November last year, the bank's board highlighted weaknesses in its data management activities and pledged to commit more resources to improve performance.

However, operational breakdowns have continued this year as evidenced by the rise in critical outage incidents at the bank.

While Australia's widely-panned banking regulator recently imposed a $500 million capital penalty on the NAB in response to the findings of its self-assessment, Clarke is doubtful that the OAIC is capable of holding NAB to account for the privacy breach.

"The OAIC has zero credibility in relation to either privacy protection or security expertise," he said.

"The very poor behaviour of the NAB in the matter is indicative of the very low standard of security among Australian corporations and government agencies generally.

"The OAIC's weakness and corporation-friendliness is a significant factor in this malaise, because it has refused to apply meaningful sanctions even for serious breaches."