P&N Bank has revealed about a data breach in which personally identifiable information (PII) and sensitive account information of its customers were exposed.
A security researcher known under the Twitter handle @vrNicknack contacted Troy Hunt, the operator of the Have I Been Pwned? search engine, with a notice he had received from the bank.
P&N Bank, a division of Police & Nurses Limited and operating in Western Australia, have sent notice to its customers informing about the breach that occurred through its customer relationship management (CRM) platform.
The bank stated that certain personal information […] appears to have been accessed as a result of online criminal activity.
In December, the bank was carrying out a server upgrade and it was during this time the cyberattack took place. A company hired by P&N Bank to provide hosting was believed to be the entry point.
P&N Bank reports that names, addresses, email addresses, phone numbers, customer numbers, ages, account numbers, and account balances may have been compromised. Information that were included in their records of interactions with customers may have also leaked.
However, passwords, Social Security numbers, Tax file numbers, driver’s license or passport details, credit card numbers, dates of birth and any other “sensitive” information such as medical data were not included in the breach.
The total number of affected customers is not known at the moment.
When the bank became aware of the attack, they immediately shut down the source of the vulnerability.
P&N Bank highlighted in the notice that at present there is no evidence of customer accounts or funds being compromised, and that they are looking into this information breach extremely seriously.
The bank is working with the West Australian Police Force (WAPOL) and other federal authorities.