NAB admits it shared personal info on 13,000 customers with two external parties

The compromised data included customer name, date of birth, contact details, and in some cases, a government-issued identification, such as a driver's licence.
Written by Asha Barbaschow, Contributor

National Australia Bank (NAB) has admitted that some personal information on approximately 13,000 customers was uploaded, without authorisation, to the servers of two data service companies.

NAB chief data officer Glenda Crisp said the compromised data included customer name, date of birth, contact details and in some cases, a government-issued identification number, such as a driver's licence number.

The information, NAB said, was provided when an account was set up.

"We take the privacy and the protection of customer information extremely seriously and I sincerely apologise to affected customers. We take full responsibility," she said. "The issue was human error and in breach of NAB's data security policies."

The red and black bank said its security teams have contacted the companies in receipt of the data, with NAB saying all information provided to them is deleted within two hours.

No NAB log-in details or passwords have been compromised, and NAB said its systems remain secure. Crisp said it was not a cybersecurity issue.

"Our number one priority is to support our customers. We are moving quickly to proactively contact every person affected," she added.

NAB is calling, emailing, or writing to each impacted customer individually. A dedicated, specialist support team is also in place.

The bank has offered to cover the cost involved in the re-issue of government identification documents. It said it will also cover the cost of independent, enhanced fraud detection identification services for affected customers.

"Importantly there is no evidence to indicate that any of the information has been copied or further disclosed," NAB said in a statement.

NAB has also notified and is working with industry regulators, including the Office of the Australian Information Commissioner (OAIC).

Need to disclose a breach? Read this: Notifiable Data Breaches scheme: Getting ready to disclose a data breach in Australia  

"We have reviewed these customers' accounts, over and above our rigorous normal checks, and have not identified any unusual activity.  We will continue to monitor 24/7 to protect our customers' accounts," Crisp added.

"We take full responsibility. We can assure you that we understand how this happened and we are making changes to ensure this does not happen again."

NAB in early 2017 admitted it had sent the details of approximately 60,000 customers to an email address on a global domain rather than its .au address.

It is understood customer information was sent in error to an nab.com address rather than an email address on the nab.com.au domain.

The email contained each customer's name, address, email address, branch and account number, as well as an NAB identification number for some customers.

The bank revealed there was an error in December 2016, and at the time, apologised to customers, again taking "full responsibility" for the error, explaining that those impacted were customers who had their accounts created by the bank's migrant banking team while they were overseas. 

The Commonwealth Bank of Australia (CBA) was last month asked by the OAIC to "substantially improve" its privacy practices under a court-enforceable undertaking.

The binding commitment follows the OAIC probing two separate incidents on how the yellow bank handled data.

The first incident was the loss of magnetic storage tapes containing historical customer statements for up to 20 million bank customers. The other incident was the inadequate internal access controls to customer data reported to the OAIC in August 2018.


Editorial standards