FOIREQ18/00027 001

From: Tim De Sousa

To: Angelene Falk
Cc: Kelly Hart
Subject: RE: Phone call - Section 47F - person from ANZ on Section 47F - personal priv [SEC=UNCLASSIFIED]
Date: Friday, 26 July 2013 12:00:29 PM

Dear Angelene,
I have just spoken to of ANZ. She was reporting a data breach discovered by ANZ
Section 47F - personal priva

yesterday. The salient points are as follows:

· 2 ANZ employees contacted ANZ’s payroll department to seek their own personal
information.
· The payroll department inadvertently sent by email to each of the 2 employees a batch
file containing no only their personal employment information, but that of approximately
100 other ANZ employees. [I understand that this occurred yesterday].
· The information in question included names, job titles, salaries, tax file numbers.
· The recipients have stated that they have not disseminated the information, and have
deleted the files. ANZ intend to get formal confirmation of this (eg stat. dec.).
· ANZ has shut down the ability for the payroll department to send attachments of this
type by email (for the time being), and has directed that all future requests for
employment information from the payroll department be fulfilled in hard copy.
· ANZ are conducting a full investigation, including considering possible harms to affected
individuals and mitigation strategies, and amendments to their systems and processes to
prevent future breaches.
· ANZ intend to notify all affected employees but have not done so yet. They anticipate
that they will do so within the next week.
· ANZ intend to notify us in writing next week, including detailing the results of their
investigation, action taken, and next steps.  
· In drafting their notification, they will consider the guidance in our DBN guide.
This email will be added to the Resolve record once the formal notification is received.
Regards,
Tim
 
s 22
 FOIREQ18/00027 002

 
s 22

s 22
FOIREQ18/00027 003
FOIREQ18/00027 005
FOIREQ18/00027 006
FOIREQ18/00027 046
FOIREQ18/00027 049
 FOIREQ18/00027 054

T +61 2Section 47F - persona  F +S 47F - personal privacy  M Section 47F - personal priv
ESection 47F - personal privacy

QP Please consider the environment before printing this email

Unless otherwise stated, this email is confidential. If received in error, please delete and
inform the sender by return email. Unauthorised use, copying or distribution is prohibited.
Westpac Banking Corporation (ABN 33 007 457 141) is not responsible for viruses, or for
delays, errors or interception in transmission. Unless stated or apparent from its terms, any
opinion is not the opinion of Westpac Banking Corporation. This message also includes
information on Westpac Institutional Bank available at westpac.com.au/wibinfo
 FOIREQ18/00027 055

 
 
 
7 December 2015  
   
   
Group Regulatory Affairs  
Andrew Solomon  S 47F - personal privacy   
Director   
Office of the Australian Information Commissioner   T. S 47F - personal privacy 5 
GPO Box 5218   
SYDNEY NSW 2001 
 
Per email: Andrew.solomon@oaic.gov.au  

 
 
Dear Mr Solomon, 
 
Westpac notification of data breach 
 
Westpac  wishes  to  notify  the  Office  of  the  Australian  Information  Commissioner  (OAIC)  of  a  data 
breach  that  occurred  on  Monday  30  November  2015.  We  have  identified  the  root  cause  and 
contained  the  breach,  conducted  a  risk  assessment  and  have  commenced  notifying  impacted 
customers. For transparency, we are notifying the OAIC in the event that you receive any complaints 
or enquiries in relation to the breach. 
 
Please find enclosed key details of the data breach and our response. 
 
Background 
 
Section 47G - business informa Section 47G - business information
,  a  Westpac  customer,  has  a  large    Card  program  consisting  of  over 
Section 47G - business informati Section 47G - business informa
. At the request of  , Westpac recently commenced monthly reporting on the 
Section 47G - business informatio
  card  program  through  Westpac’s  Corporate  Online  (an  internet‐based  electronic 
platform,  providing  a  single  point  of  entry  to  a  suite  of  online  transactional  services  specifically 
designed for major Australian, New Zealand and international corporations and government bodies). 
The Corporate Online system is set up to provide monthly card data in both CSV format and as PDF 
statements. 
 
Description of the breach 
 
For  the  month  end  process  in  November  2015,  the  file  of  the  aggregated  monthly  data  for  all 
Section 47G
Corporate  Online  commercial  card  customers  was  identified  as  being  very  large  due  to  the   
  card  transactions,  so  the  Westpac  Corporate  Online  operational  team  split  the  file  into  two 
Section 47G - business informa
files for processing – one for   and the other for the remaining customers. Unfortunately, 
there was an error splitting and processing the data files.  
 

Page 1 of 3
 FOIREQ18/00027 056

On Monday 30 November 2015, Westpac unintentionally disclosed confidential information relating 
to  916  Section 47G - business information   cardholders  to  92  different  Westpac  corporate/business 
customers.  Specifically,  cardholder  information  from  Section 47G - business information   cardholders 
appeared  in  the  online  card  statements  of  other  Westpac  corporate/business  commercial  card 
customers available from Corporate Online. 
 
In  addition,  24  corporate/business  customers  received  Corporate  Online  cardholder  statements 
Section 47G - business informa
containing  mixed  cardholder  data  of  their  own  employees,  but  no    data.  We  note  that 
these  customers  did  not  receive  any  data  that  did  not  belong  to  their  organisation.  Furthermore, 
there is limited potential for the individual cardholders to receive information other than their own 
due to the fact that all cardholders receive paper statements which contained the correct statement 
information.  A  fix  has  been  implemented  such  that  all  of  these  24  customers  no  longer  have  the 
ability to see data other than their correct online cardholder statements. 
 
Type of personal information involved in the breach  
 
The  personal  information  involved  in  the  breach  was  the  card  number,  the  cardholder  name, 
statement date, transactions for the month of October 2015 and the card’s opening balance. 
 
The cardholder data did not contain the expiry date, the CVV number (3 digit security number), the 
cardholder’s address or date of birth.  
 
Without  access  to  the  expiry  date,  the  CVV  number,  the  cardholder’s  address  or  date  of  birth,  we 
consider  the  risk  of  card  not  present  transactions  fraud  to  be  low.  Similarly,  without  access  to  the 
cardholder’s address or date of birth, the risk of identity fraud is considered low.    
 
Westpac’s response to the breach 
 
On Monday, 30 November 2015, we implemented a fix which removed the incorrect data from the 
Corporate Online cards data available to the 92 corporate/business customers. All 92 customers with 
the  ability  to  view  the  data  no  longer  have  the  ability  to  see  data  other  than  their  correct  online 
cardholder statements. We have written to the 92 customers to request that they destroy all records 
to which they were not entitled. 
 
We  have  identified  the  root  cause,  as  well  as  potential  short  and  long  term  solutions  to  prevent 
reoccurrence  of  the  data  breach.  In  the  short  term,  we  will  not  be  issuing  monthly  online  card 
Section 47G - business informa Section 47G - business informa
reports  for    for  December  2015.  We  will  be  working  closely  with    on  their 
requirements, and may  need to  make  changes to Corporate Online to ensure the solution remains 
sustainable. 
 
   

Page 2 of 3
 FOIREQ18/00027 059

Westpac Banking Corporation (ABN 33 007 457 141)

Westpac Institutional Bank is a division of Westpac Banking Corporation
 FOIREQ18/00027 060

From: Section 47F - personal privacy

To: Enquiries
Cc: Section 47F - personal privacy

Subject: DBN16/00111 Westpac (BT) Data breach notification

Date: Wednesday, 5 October 2016 8:25:53 PM
Attachments: image001.jpg
image002.jpg

Dear team,
 
We would like to make you aware of a system data breach that occurred during 25 February
2016 and 5 September 2016. We have identified the root cause and contained the breach,
conducted a risk assessment and have commenced the remediation process,  including
notification to impacted customers. Further details are set out below, based on details available
to us from our investigation and remediation activities as at the current date. We are happy to
share further details with the OAIC as required as these remediation activities are finalised and
would appreciate your feedback in this regard.
In the interim, we hope this provides you with sufficient visibility and details in the event you
receive any enquiries or complaints regarding this data breach. My contact details are provided
below in the event you have any questions or you would like to discuss any of this information.
 
Background and description of the data breach
Between 25 February 2016 and 5 September 2016 (the incident period), a system software
defect caused by a third party provider to two BT Super Member Funds administered by the BT
Financial Group (BT) (“the Funds”) (the “data breach”), intermittently caused an incorrect update
to the email address and / or mobile number of member records held in an internal BT registry
system.  This issue was identified by BT following the issuance of the first of five tranches of
2015/2016 annual statements when two employers with impacted members contacted BT to
advise that their employees had either the incorrect email or mobile number (or both) appearing
on their annual benefit statements.
 
The incorrect email address and/or mobile number details subsequently (and without our
knowledge) flowed through to the following member communications issued to impacted
members during the incident period:
1. 2015/2016 annual benefit statements (statements) - issued by mail to members in early
September 2016;
2. new member welcome packs (packs) – issued by mail to members between 25 February
2016 and 30 June 2016
 
Type of personal information impacted by the data breach
As noted above, the type of personal information impacted by the data breach was member
email address and member telephone (mobile) number only. Our investigation has confirmed
postal address details and/or financial details captured in the BT registry system were not
impacted by the system defect.  Given the above member communications for the Funds in
question are issued only by mail, our investigation has also confirmed no sensitive or financial
member information has been issued to an incorrect member.
 
Our response to the data breach
Actions taken, and currently in progress since we have become aware of the data breach are
listed below:
 FOIREQ18/00027 063

Confidential communication
Westpac Banking Corporation (ABN 33 007 457 141)
Westpac Institutional Bank is a division of Westpac Banking Corporation
 FOIREQ18/00027 064

s 22

Section 47F - personal privacy

From: " " <jSection 47F - personal privacy >
Date: 26 April 2017 at 9:30:54 am AEST
To: "andrew.solomon@oaic.gov.au" <andrew.solomon@oaic.gov.au>
Section 47F - personal privacy
Cc: " " <Section 47F - personal privacy >
Subject: Westpac DBN

Dear Andrew

Westpac has experienced a contained privacy incident and we are in the

process of engaging the small number of impacted customers.

After undertaking a single-event fraud investigation in relation to one of our

staff members we subsequently identified the staff member had accessed a
small number of customer accounts (around 15) and transaction information
without having a proper purpose for doing so and in contravention of our
Code of Conduct. The customers whose information was accessed includes a
number of individuals who are also Westpac staff members as well as other
individuals (not employed by Westpac) who are known in the public domain.

Although we have not identified any attempts to duplicate, record or distribute

this information nor any attempt to use this information fraudulently or
conduct any transactions with respect to any of these customers, as a matter of
principle we are taking the incident seriously. In these circumstances, having
regard to the OAIC's data breach notification guidance, and having balanced
the risk of causing undirected anxiety with a potential serious risk of harm we
are contacting our impacted customers as well as make this voluntary
notification to the OAIC.

We have advised the Westpac-employed customers and we will be advising

our external customers this week. We will also be advising each customer that
we have notified the OAIC. We would appreciate being able to refer those
customers to a specific contact within your Dispute Resolution Branch if they
wished to raise any concerns with the OAIC directly. Are you able to suggest
 FOIREQ18/00027 067

s 22

***********************************************************************
WARNING: The information contained in this email may be confidential.
If you are not the intended recipient, any use or copying of any part
of this information is unauthorised. If you have received this email in
error, we apologise for any inconvenience and request that you notify
the sender immediately and delete all copies of this email, together
with any attachments.
***********************************************************************

Confidential communication
Westpac Banking Corporation (ABN 33 007 457 141)
 FOIREQ18/00027 068

Westpac Institutional Bank is a division of Westpac Banking Corporation

 FOIREQ18/00027 069

s 22

From: [mailtoSection 47F - personal privacy ]

Section 47F - personal privacy

Sent: Wednesday, 19 July 2017 5:02 PM

To: Soulla Alexandrou <soulla.alexandrou@oaic.gov.au>
Cc: S 47F - personal privacy
Subject: DBN - temp password disclosure
 
Hello Soulla -
 
I wanted to let you know that we have identified a limited incident in relation to the unauthorised sharing of
Westpac customer internet banking (temporary) passwords with a mortgage broker group. We initially
identified this with respect to some Westpac customers who obtained home loans through this particular
mortgage broker group and relates to temporary passwords established when the customer originated their
online banking. A (now former) Westpac employee appears to have re-set the passwords of customers and
provided the temporary reset password to employees of the mortgage broker group.
 
When this occurred the process had been for a temporary password to be provided to the customer verbally or
in writing by a staff member, the customer was then encouraged to change that password to one of their own
creation in the branch at the time (but were also able to do so online subsequently if they preferred). We have
since changed our process to now enable the temporary password to be auto-generated and sent via SMS to
the customer directly, ie without staff needing to be involved.
 
While our investigations into the breadth of the issue is ongoing, we have currently identified around 80
customers that we believe may have been impacted and we are beginning a process of contacting them. As our
investigations proceed, if we identify any other customers similarly impacted by this type of conduct, we will
adopt the same approach. To date, of the customers we have identified, we have not established any adverse
impact (i.e. in the form of unauthorised transactional activity) to their accounts. However, we are requesting
customers reset their internet banking passwords as a precaution and for some we are also requesting they
attend a Westpac branch to have their identification re-verified.
 
We have had regard to the OAIC’s Data Breach Notification Guidelines when considering this matter and the
above steps and we have also decided to voluntarily alert the OAIC as a reflection of our approach to managing
privacy incidents. Concurrently, we are engaging ASIC on the wider conduct issues associated with the former
 FOIREQ18/00027 075

From: Section 47F - personal privacy

To: Enquiries
Cc: Section 47F - personal priva

Subject: DBN18/00031 Confidential: Westpac Live card linking matter

Date: Wednesday, 21 February 2018 5:31:44 PM
Attachments: image005.png
image006.jpg
Importance: High

Good afternoon -
 
We have recently identified an occurrence where two customers may have been able to view
other customers’ information while signed into their online banking service using Westpac Live
(our desktop and mobile online banking application). The incident involves a cancelled card
incorrectly appearing on another customer’s Westpac Live access.
 
A customer recently advised us that, when logged into Westpac Live, a tile for an unknown card
was visible. The tile showed a masked card number (eg. XXXX XXXX XX12 3456) and the card
balance. The tile allowed the Westpac Live user to erroneously access the cancelled card’s
statements.
 
We established a cross functional team to investigate the root cause and identify other
occurrences.
 
Following our investigation, we believe the issue arose due to a cache clearing error in an
automated tool. After verifying the identified cause, we immediately disabled and discontinued
use of the automated tool. The automated tool remains disabled while our technology teams
develop and deploy a fix. The investigation indicated only two customers' closed accounts were
able to potentially be viewed (limited to the customer who identified the issue and one other
customer).
 
We take our customers’ privacy seriously and we are contacting the impacted customers about
this matter. The customer who initially identified the matter and the first impacted customer
have been contacted. The impacted customer was satisfied with our explanation and actions. We
are preparing to notify the other customers (including another Westpac Live user and the
relevant customer whose cancelled card was visible), which we expect to complete this week.
Over and above our usual active oversight, we are also applying enhanced monitoring of the
impacted customers’ accounts. To date there has been no evidence revealed of identity takeover
or unauthorised transactions.
 
We can further update the OAIC if you have any questions.
 
Regards
 
Section 47F - persona

 
Section 47F - personal privacy

Section 47F - personal privacy

Regulatory and Governance
 FOIREQ18/00027 077

From: Section 47F - personal privacy

To: Enquiries
Cc: Section 47F - personal priva

Subject: DBN18/00031 Confidential: Unrelated third party data breach - GitHub matter
Date: Wednesday, 21 February 2018 5:32:07 PM
Attachments: image005.png
image006.jpg
Importance: High

Good afternoon -
 
We have recently identified an incident where a third party posted Westpac customers' personal
information on a live website without Westpac's or the customers' knowledge or consent. The
third party who posted the material is not related to, or affiliated with, Westpac or its related
entities and is not a Westpac third party supplier.
 
On 15 February 2018, during regular monitoring activities, we located a public webpage holding
a data file containing personal information data sets of approximately 760 Australians, including
44 identified Westpac customers (we have retained a copy of the data file). The data file was
published on a website managed by GitHub, a software development platform headquartered in
San Francisco, United States of America (www.github.com). GitHub's website is a public online
application development platform allowing software and application developers to collaborate
on projects. 
 
Our investigation suggests the data file contains employee payroll information for an Australian
business located in Victoria, the Victorian Institute of Technology (VIT). The data file contains
personal information including:
 
· Date of information
· Name
· Gender
· DOB
· Residential and/or mailing addresses
· Email address(es)
· Phone number(s) Sec

· Bank name
· BSB number
· Account number
· Australian Business Number
· Credit card number
· VIT registration number
· Working With Children Check status and expiry date
· Tax File Number  
 
The data file was uploaded to the GitHub website on 29 April 2017. The file does not appear to
have been modified since that date. The data file was able to be viewed by any person who
registered for an account on the GitHub website.
 
On 16 February 2018, we notified CERT Australia, the national computer emergency response
team, about the data file and requested GitHub to remove the data file. ISG also notified data
 FOIREQ18/00027 079

From: Section 47F - personal privacy

To: Enquiries
Cc: Section 47F - personal privacy
Subject: Confidential - Voluntary notification - privacy breach
Date: Friday, 23 March 2018 4:25:40 PM
Attachments: image001.png
image002.jpg

Confidential
 
Good afternoon
 
s 22