Data breach in Westpac bank; nearly 100k users affected

Personal data belonging to almost 100k clients of Australian banks are exposed due to a cyberattack against PayID, a real-time online payment platform from the Australian bank Westpac. According to web application security specialists, this attack allowed hackers to instantly transfer money between multiple banks using a mobile phone number and an email address.

The attack, which affects the customers of Westpac and other Australian banks, has triggered alerts among the cybersecurity community, which believes that the compromised information could end up being used for various identity frauds. 

Although many Australian citizens ignore it, PayID functions as a phone book, allowing anyone to enter a phone number or email address to confirm the name of an account holder. Web application security experts mention that this allows the so-called “enumeration attack”, so numbers can be randomly changed to find the names and mobile phones of thousands of people.

“Any threat actor with access to these personal details could deploy a powerful attack campaign”, the experts added.

Representatives of the bank confirmed the security incident, although they did not mention the exact number of affected users.

Web application security experts were able to know that, at the end of May, the bank detected a large volume of searches in PayID conducted from seven Westpac Live accounts committed. Little more than 98 thousand of these searches were successfully performed; this figure is equivalent to the total amount of affected users.

According to specialists of the International Institute of Cyber Security (IICS) The attacks would have started since April 7, with about 600,000 searches in a period of just over a month; In addition, the Australian authorities consider that the mode of operation of the hackers has similarities with the activities of some cybercriminals groups detected in the United States.

Finally, the bank stressed that the accounts used to deploy the attack were compromised and specially configured for this campaign, so Westpac dismisses that some of the legitimate owners of the compromised accounts are behind the attack.