PayID breach ‘an in-house job’

Ian Rogers Payments, mobile & wallets

A privacy breach by an ADI affiliated with Cuscal has led to the first compromise of PayID records on the New Payments Platform, affecting customers across many banks.

NPP Australia and Cuscal issued statements on the breach yesterday.

Conjecture is that an ADI with a core banking system developed and maintained in-house was responsible, though Banking Day so far is unaware of the ADI involved.

NPP Australia said it was advised late in the evening of Friday, 16 August “that a number of PayID records and associated data in the Addressing Service were exposed by a vulnerability in one of the financial institutions sponsored into the NPP by Cuscal Limited.  

“Cuscal has confirmed that the client-side technical issues underlying the exposure were identified and resolved immediately.

“The affected data included PayID name and account numbers. None of the details involved can, on their own, enable the withdrawal of funds from a customer’s account without the customer’s specific further involvement.”

Cuscal said that it had “provided the data and analytics to all the institutions” and that contacting customers to share news of this breach “should already have begun”.

Commonwealth Bank, at least, has begun to do so, its Twitter feed confirms.

Cuscal said “upon identification of the issue our client took immediate action to remediate, as well as putting additional alerting in place to mitigate against further incidents.

“In addition, technology changes were made by the client immediately to prevent any further PayID data and to reduce the risk of PayID data being inappropriately obtained by others in the future.”

In June, Westpac advised customers that it had thwarted attempts by hackers to misuse the PayID Addressing Service.