Australia's Westpac Banking Corporation has faced a huge cyber security breach that has affected a total of 98,000 customers, with their banking details exposed to the hackers.
The hackers targeted the bank's PayID feature, which allows anyone to type in the phone number and search for the account that is registered under it. After inserting the registered number into the app, the name of the account holder pops up on the screen.
As per the reports the seven fake accounts worked to generate a series of random numbers, which would eventually coincide with the real phone numbers that were already registered in the app and reveal banker's names.
A spokesperson from Westpac confirmed the data breach and stated that the bank has taken additional preventive action. As reported by 7NEWS.com.au, the spokesperson said that none of the bank account numbers of the customers was accessed by the hackers and the Westpac Group "takes the protection of customer data and privacy extremely seriously and we continually monitor our systems."
The spokesperson also confirmed that the authority could not detect any other anomalies or inappropriate activity.
Since the PayID is used by almost all the big banks, the concern has escalated over the safety of other bank account holders and experts believe that with access to such details, fraud could be committed at a massive scale.
However, as per the Sydney Morning Herald and The Age, in a confidential memo, the bank has disclosed several details on this incident to Australia's banking and financial industry.
It says on May 22, Westpac noted that a high volume of NPPA PayID lookups was made from 7 compromised Westpac Live accounts and further analysis revealed that the attackers had been active since April 7, while the total number of lookups is almost 600,000.
The memo also mentioned that the accounts used appear to have been "compromised or set up ... to perform the attack (Westpac conversations with the legitimate owners of the existing accounts used indicates that they are not aware of the attacks or involved in any way)."
In addition, the memo stated that the attackers had been "trying phone numbers in a semi-sequential manner, which means that "the numbers are targeted guessing and do not necessarily come from an existing data compromise."
A twitter post had given the best example on this matter. In 2018, a social media user posted a picture of a payment process. He wrote, "Shoutout to Sarah Wilson who's mobile number I now know just by entering random characters @npp_aus @PayID_Australia."
