SYDNEY, Australia–More than 90,000 Australian bank/credit union customers/members have had their financial details and other personal data exposed after PayID was breached via Credit Union Australia, in the second major attack on the payment management system in recent months.
A spokesperson for Cuscal, which is the payments provider that has partnered with more than 120 financial services providers in Australia and overseas, said the breach originated with one of their clients and impacted "most organizations" that use PayID, according to the Sydney Morning Herald.
Cuscal is also the trade association for credit unions and member-owned banks in Australia.
According to a statement released by Cuscal, "less than 92,000 or 3% of the total 3.5 million customers who have registered for PayID" were affected, the Morning Herald said.
A spokesperson for Credit Union Australia confirmed the breach originated with its PayID accounts on August 16.
"On Friday 16 August, CUA's payment provider Cuscal alerted us to mis-use of the PayID service. CUA took immediate action to stop this activity and put in place controls to protect against a recurrence," the spokesperson said in a statement to the Sydney Morning Herald. "Some information attached to individuals' PayIDs was accessed. No financial transactions took place and nor can the information accessed be used, on its own, to enable financial transactions. Information security is obviously of paramount importance. We are deeply disappointed this occurred and apologize to those affected.”
What PayID Does
PayID, a function of the New Payments Platform (NPP), allows consumers to use their phone number or email address to identify their account for real-time payments, instead of having to remember their personal information.
Cuscal said it has informed the affected clients of the breach and has put in place additional alerting "to mitigate against further incidents.”
Both the Australian Prudential Regulation Authority (APRA) and the Office of the Australian Information Commissioner (OAIC) have been informed of the breach.
The big four banks in Australia have also each confirmed their customers were among those affected by the breach.