September 29, 2020

Volume X, Number 273

September 29, 2020

Subscribe to Latest Legal News and Analysis

September 28, 2020

Subscribe to Latest Legal News and Analysis

Major Privacy And Security Breaches Confirmed This Week: Westpac,The Anu And Princess Polly Targeted

It’s been a chilly start to winter for three Australian organisations, who’ve this week reported major privacy and security breaches.

Up to 100,000 Australians’ personal information has been exposed in a hack affecting Westpac Bank. Westpac confirmed on Monday that details of Australian bank customers (not just those of Westpac) were exposed in a cyberattack on real time payments platform PayID. The banking giant says it noted a high volume of PayID lookups in 2019 on a semi-daily basis, which was a result of attackers trying to guess phone numbers, which, if guessed correctly, would give them the name of the account holder to which the number is linked. Despite the hack, Westpac says that no customer bank account details were compromised as a result of this cyberattack. Nevertheless, experts warn that the details accessed could still be used to commit fraud.

In another significant incident, ANU emailed students, staff and alumni to notify them of a cyberattack affecting 19 years’ of personal data. The university reported that its systems were accessed illegally in late 2018, with the personal information including names, addresses, tax file numbers and academic records accessed. The pure size of the breach is just one concerning element – many public servants in Canberra attended ANU, with the university also home to several schools and colleges frequented by government officials for short courses.

Finally, Australian fashion e-tailer, Princess Polly, also suffered a data breach that potentially involved customers’ personal and payment information being exposed to an “unidentified third party”. The data breach is said to have occurred between 1 November 2018 and 29 April 2019, but was only discovered more recently. Customers’ payment information was accessed by the third party as customers were typing in their credit card details to make a purchase. The attacker(s) may have also accessed customers’ billing and shipping information, usernames and passwords.

We are finding that it is becoming increasingly common for organisations to discover security breaches likes these much later than the time of the actual breach. By the time a breach is identified, individuals’ personal information may be compromised and used for personal gains by the attackers. As always, these breaches should serve as a timely reminder for you to check what your organisation is doing to protect itself and your customers – and what more you can do or should be doing to mitigate the effects of a potential cyberattack.

Copyright 2020 K & L GatesNational Law Review, Volume IX, Number 158


About this Author

Cameron Abbott, Technology, Attorney, Australia, corporate, KL Gates Law Firm

Mr. Abbott is a corporate lawyer who focuses on technology, telecommunications and broadcasting transactions. He assists corporations and vendors in managing their technology requirements and contracts, particularly large outsourcing and technology procurements issues including licensing terms for SAP and Oracle and major system integration transactions.

Mr. Abbott partners with his clients to ensure market leading solutions are implemented in to their businesses. He concentrates on managing and negotiating complex technology solutions, which...

Allison Wallace, KL Gates, Commercial Technology and Sourcing lawyer, Australia

Allison Wallace is a lawyer in the Melbourne, Australia office of K&L Gates, working in the Commercial Technology and Sourcing Practice.