Professional Documents
Culture Documents
Dear Angelene,
I have just spoken to of ANZ. She was reporting a data breach discovered by ANZ
Section 47F - personal priva
s 22
s 22
FOIREQ18/00027 003
FOIREQ18/00027 005
FOIREQ18/00027 006
FOIREQ18/00027 046
FOIREQ18/00027 049
FOIREQ18/00027 054
T +61 2Section 47F - persona F +S 47F - personal privacy M Section 47F - personal priv
ESection 47F - personal privacy
7 December 2015
Group Regulatory Affairs
Andrew Solomon S 47F - personal privacy
Director
Office of the Australian Information Commissioner T. S 47F - personal privacy 5
GPO Box 5218
SYDNEY NSW 2001
Per email: Andrew.solomon@oaic.gov.au
Dear Mr Solomon,
Westpac notification of data breach
Westpac wishes to notify the Office of the Australian Information Commissioner (OAIC) of a data
breach that occurred on Monday 30 November 2015. We have identified the root cause and
contained the breach, conducted a risk assessment and have commenced notifying impacted
customers. For transparency, we are notifying the OAIC in the event that you receive any complaints
or enquiries in relation to the breach.
Please find enclosed key details of the data breach and our response.
Background
Section 47G - business informa Section 47G - business information
, a Westpac customer, has a large Card program consisting of over
Section 47G - business informati Section 47G - business informa
. At the request of , Westpac recently commenced monthly reporting on the
Section 47G - business informatio
card program through Westpac’s Corporate Online (an internet‐based electronic
platform, providing a single point of entry to a suite of online transactional services specifically
designed for major Australian, New Zealand and international corporations and government bodies).
The Corporate Online system is set up to provide monthly card data in both CSV format and as PDF
statements.
Description of the breach
For the month end process in November 2015, the file of the aggregated monthly data for all
Section 47G
Corporate Online commercial card customers was identified as being very large due to the
card transactions, so the Westpac Corporate Online operational team split the file into two
Section 47G - business informa
files for processing – one for and the other for the remaining customers. Unfortunately,
there was an error splitting and processing the data files.
Page 1 of 3
FOIREQ18/00027 056
On Monday 30 November 2015, Westpac unintentionally disclosed confidential information relating
to 916 Section 47G - business information cardholders to 92 different Westpac corporate/business
customers. Specifically, cardholder information from Section 47G - business information cardholders
appeared in the online card statements of other Westpac corporate/business commercial card
customers available from Corporate Online.
In addition, 24 corporate/business customers received Corporate Online cardholder statements
Section 47G - business informa
containing mixed cardholder data of their own employees, but no data. We note that
these customers did not receive any data that did not belong to their organisation. Furthermore,
there is limited potential for the individual cardholders to receive information other than their own
due to the fact that all cardholders receive paper statements which contained the correct statement
information. A fix has been implemented such that all of these 24 customers no longer have the
ability to see data other than their correct online cardholder statements.
Type of personal information involved in the breach
The personal information involved in the breach was the card number, the cardholder name,
statement date, transactions for the month of October 2015 and the card’s opening balance.
The cardholder data did not contain the expiry date, the CVV number (3 digit security number), the
cardholder’s address or date of birth.
Without access to the expiry date, the CVV number, the cardholder’s address or date of birth, we
consider the risk of card not present transactions fraud to be low. Similarly, without access to the
cardholder’s address or date of birth, the risk of identity fraud is considered low.
Westpac’s response to the breach
On Monday, 30 November 2015, we implemented a fix which removed the incorrect data from the
Corporate Online cards data available to the 92 corporate/business customers. All 92 customers with
the ability to view the data no longer have the ability to see data other than their correct online
cardholder statements. We have written to the 92 customers to request that they destroy all records
to which they were not entitled.
We have identified the root cause, as well as potential short and long term solutions to prevent
reoccurrence of the data breach. In the short term, we will not be issuing monthly online card
Section 47G - business informa Section 47G - business informa
reports for for December 2015. We will be working closely with on their
requirements, and may need to make changes to Corporate Online to ensure the solution remains
sustainable.
Page 2 of 3
FOIREQ18/00027 059
To: Enquiries
Cc: Section 47F - personal privacy
Dear team,
We would like to make you aware of a system data breach that occurred during 25 February
2016 and 5 September 2016. We have identified the root cause and contained the breach,
conducted a risk assessment and have commenced the remediation process, including
notification to impacted customers. Further details are set out below, based on details available
to us from our investigation and remediation activities as at the current date. We are happy to
share further details with the OAIC as required as these remediation activities are finalised and
would appreciate your feedback in this regard.
In the interim, we hope this provides you with sufficient visibility and details in the event you
receive any enquiries or complaints regarding this data breach. My contact details are provided
below in the event you have any questions or you would like to discuss any of this information.
Background and description of the data breach
Between 25 February 2016 and 5 September 2016 (the incident period), a system software
defect caused by a third party provider to two BT Super Member Funds administered by the BT
Financial Group (BT) (“the Funds”) (the “data breach”), intermittently caused an incorrect update
to the email address and / or mobile number of member records held in an internal BT registry
system. This issue was identified by BT following the issuance of the first of five tranches of
2015/2016 annual statements when two employers with impacted members contacted BT to
advise that their employees had either the incorrect email or mobile number (or both) appearing
on their annual benefit statements.
The incorrect email address and/or mobile number details subsequently (and without our
knowledge) flowed through to the following member communications issued to impacted
members during the incident period:
1. 2015/2016 annual benefit statements (statements) - issued by mail to members in early
September 2016;
2. new member welcome packs (packs) – issued by mail to members between 25 February
2016 and 30 June 2016
Type of personal information impacted by the data breach
As noted above, the type of personal information impacted by the data breach was member
email address and member telephone (mobile) number only. Our investigation has confirmed
postal address details and/or financial details captured in the BT registry system were not
impacted by the system defect. Given the above member communications for the Funds in
question are issued only by mail, our investigation has also confirmed no sensitive or financial
member information has been issued to an incorrect member.
Our response to the data breach
Actions taken, and currently in progress since we have become aware of the data breach are
listed below:
FOIREQ18/00027 063
Confidential communication
Westpac Banking Corporation (ABN 33 007 457 141)
Westpac Institutional Bank is a division of Westpac Banking Corporation
FOIREQ18/00027 064
s 22
Dear Andrew
s 22
***********************************************************************
WARNING: The information contained in this email may be confidential.
If you are not the intended recipient, any use or copying of any part
of this information is unauthorised. If you have received this email in
error, we apologise for any inconvenience and request that you notify
the sender immediately and delete all copies of this email, together
with any attachments.
***********************************************************************
Confidential communication
Westpac Banking Corporation (ABN 33 007 457 141)
FOIREQ18/00027 068
s 22
To: Enquiries
Cc: Section 47F - personal priva
Good afternoon -
We have recently identified an occurrence where two customers may have been able to view
other customers’ information while signed into their online banking service using Westpac Live
(our desktop and mobile online banking application). The incident involves a cancelled card
incorrectly appearing on another customer’s Westpac Live access.
A customer recently advised us that, when logged into Westpac Live, a tile for an unknown card
was visible. The tile showed a masked card number (eg. XXXX XXXX XX12 3456) and the card
balance. The tile allowed the Westpac Live user to erroneously access the cancelled card’s
statements.
We established a cross functional team to investigate the root cause and identify other
occurrences.
Following our investigation, we believe the issue arose due to a cache clearing error in an
automated tool. After verifying the identified cause, we immediately disabled and discontinued
use of the automated tool. The automated tool remains disabled while our technology teams
develop and deploy a fix. The investigation indicated only two customers' closed accounts were
able to potentially be viewed (limited to the customer who identified the issue and one other
customer).
We take our customers’ privacy seriously and we are contacting the impacted customers about
this matter. The customer who initially identified the matter and the first impacted customer
have been contacted. The impacted customer was satisfied with our explanation and actions. We
are preparing to notify the other customers (including another Westpac Live user and the
relevant customer whose cancelled card was visible), which we expect to complete this week.
Over and above our usual active oversight, we are also applying enhanced monitoring of the
impacted customers’ accounts. To date there has been no evidence revealed of identity takeover
or unauthorised transactions.
We can further update the OAIC if you have any questions.
Regards
Section 47F - persona
Section 47F - personal privacy
To: Enquiries
Cc: Section 47F - personal priva
Subject: DBN18/00031 Confidential: Unrelated third party data breach - GitHub matter
Date: Wednesday, 21 February 2018 5:32:07 PM
Attachments: image005.png
image006.jpg
Importance: High
Good afternoon -
We have recently identified an incident where a third party posted Westpac customers' personal
information on a live website without Westpac's or the customers' knowledge or consent. The
third party who posted the material is not related to, or affiliated with, Westpac or its related
entities and is not a Westpac third party supplier.
On 15 February 2018, during regular monitoring activities, we located a public webpage holding
a data file containing personal information data sets of approximately 760 Australians, including
44 identified Westpac customers (we have retained a copy of the data file). The data file was
published on a website managed by GitHub, a software development platform headquartered in
San Francisco, United States of America (www.github.com). GitHub's website is a public online
application development platform allowing software and application developers to collaborate
on projects.
Our investigation suggests the data file contains employee payroll information for an Australian
business located in Victoria, the Victorian Institute of Technology (VIT). The data file contains
personal information including:
· Date of information
· Name
· Gender
· DOB
· Residential and/or mailing addresses
· Email address(es)
· Phone number(s) Sec
· Bank name
· BSB number
· Account number
· Australian Business Number
· Credit card number
· VIT registration number
· Working With Children Check status and expiry date
· Tax File Number
The data file was uploaded to the GitHub website on 29 April 2017. The file does not appear to
have been modified since that date. The data file was able to be viewed by any person who
registered for an account on the GitHub website.
On 16 February 2018, we notified CERT Australia, the national computer emergency response
team, about the data file and requested GitHub to remove the data file. ISG also notified data
FOIREQ18/00027 079
To: Enquiries
Cc: Section 47F - personal privacy
Subject: Confidential - Voluntary notification - privacy breach
Date: Friday, 23 March 2018 4:25:40 PM
Attachments: image001.png
image002.jpg
Confidential
Good afternoon
s 22