Data breach leaves PayID’s customer details exposed

Written by Sharon Kimathi
22nd August 2019

PayID, a service that enables users to identify their bank account and use it to send or receive money has been the target of unsavoury activity, this time seeing a number of records and associated data in the addressing service exposed.

The company was introduced to Australia as part of the New Payments Platform (NPP) – Australia’s real-time payments platform mutually owned by 13 major financial institutions. The affected data included PayID name and account numbers.

A statement from NPP Australia – the company charged with the oversight of all of the transactions moving through the system – on 20 August, confirmed the data was exposed by a vulnerability in one of the financial institutions sponsored into the NPP by Cuscal Limited.

Cuscal told NPP Australia that the client-side technical issues underlying the exposure were identified and resolved immediately. Cuscal’s client has advised that the appropriate regulatory notifications have been made. “None of the details involved can, on their own, enable the withdrawal of funds from a customer’s account without the customer’s specific further involvement,” says NPP Australia in a statement.

The latest breach follows Westpac in June confirming its PayID lookup function was misused. Westpac witnessed 600,000 PayID lookups stemming from seven compromised Westpac Live accounts. Around 98,000 of the lookups were successfully resolved to a short name and displayed to the “fraudster”. No customer bank account numbers were compromised as a result.

The NPP went live in February last year. Its infrastructure was built by the Reserve Bank of Australia (RBA), in consultation with the Commonwealth Bank of Australia (CBA), the National Australia Bank (NAB), the Australia and New Zealand Banking Group (ANZ), and Westpac, which hold around 95% market share of the entire Australian finance industry between them.

At launch, there were 13 participants in the NPP, including three entities that are service providers for smaller institutions. In addition to the RBA and the Big Four, they are: Australian Settlements Limited (ASL), Bendigo and Adelaide Bank, Citigroup, Cuscal, HSBC Bank Australia, Indue, ING Australia, and Macquarie Bank.