Hundreds of NAB staff have spent the weekend scrambling to inform customers affected by a security breach that saw the details of 13,000 account holders compromised.
About two-thirds of those affected have been informed of the error by the bank, with the remaining customers expected to be informed over the next few days.
NAB says its investigation into how the details including names, date of birth, contact details and driver’s licence number were uploaded to two unauthorised third parties is ongoing.
The bank has declined to provide further information about the employee or employees involved or the “data service providers” that ended up in the possession of the information.
The development is an embarrassing one for the bank, albeit not on the same scale as a breach at CBA where records of 20 million customers were lost, leading to a rap over the knuckles from the regulator last month.
The data breach at NAB is understood to have occurred over the past week and was confirmed on Wednesday afternoon.
On Friday the bank informed the Office of the Australian Information Commissioner before swinging into action and informing the customers affected.
The bank announced the breach about 6pm on Friday in a statement published on its corporate website and an accompanying video featuring the bank’s chief data officer Glenda Crisp.
"The issue was human error and in breach of NAB’s data security policies,” Ms Crisp said.
The bank said it had been in contact with the two companies concerned and ordered them to erase the information within a period of two hours.
The bungle is the latest in a series of technology related failures at NAB in recent years.
In May the bank blamed a long-standing practice of outsourcing for notching up eight critical incidents in a single quarter, the highest number of outages since 2016.
That same year the details of approximately 60,000 migrant customers at NAB were sent to an adult website owner when a banker accidently used the wrong email address.
For many years the domain name nab.com and nab.net had been owned by a prolific domain name trader and cyber-squatter who used the websites to host adult content.
The embarrassing situation was brought to an end when the bank acquired the domain name for an undisclosed amount in 2017.
Like many banks, NAB is trying to simplify and streamline its operations by decommissioning outdated systems and becoming more agile.
Over the six months to March 31 the bank moved 128 applications onto cloud services and decommissioned 72 legacy IT applications.
During the Hayne royal commission NAB chairman Ken Henry said the bank had almost 14,000 individual compliance obligations and it would be “quite extraordinary” if the bank was ever fully compliant.
Dr Henry also revealed the banks compliance risk rating had been flashing red almost constantly since 2013 with the exception of a one-month period when it changed to amber.
The definition of a red rating was that the bank had breached its appetite for risk and did not have an agreed plan to fix the problem.
Source: Australian Financial Review