This is a work in progress. While we strive for accuracy, some breach details may be incomplete or pending verification.

Bank of Queensland

Summary

Bank of Queensland announced in July 2019 that it had been informed of a personal data breach by a third-party service provider. The breach compromised customer information held by the external vendor on behalf of the bank, highlighting the supply chain risks in the financial services sector. While Bank of Queensland was not directly hacked, its customers' data was nonetheless exposed through its vendor relationships.

What Happened

Third-Party Breach. A service provider contracted by Bank of Queensland suffered a data breach that exposed personal information of bank customers. The third-party vendor had access to customer data as part of providing services to the bank, and this information was compromised when the vendor's systems were breached. The exposed data likely included customer names, contact details, account information, and potentially transaction histories depending on the vendor's role. Supply chain breaches like this are particularly challenging because banks must rely on third-party providers for various services, from payment processing to customer communications, creating multiple potential points of vulnerability beyond the bank's direct control.

Impact on Individuals

  • Banking Data Exposure: Personal information and account details held by bank vendor compromised
  • Third-Party Risk: Customers unaware their data was held by external vendors faced unexpected exposure
  • Phishing Targeting: Information could enable convincing bank impersonation scams
  • Account Security: Concerns about potential unauthorised access to banking services
  • Limited Control: Customers had no direct relationship with breached vendor

The breach demonstrated how customers' data can be compromised even when they only do business with reputable institutions, due to those institutions' vendor relationships.

Response

Bank of Queensland immediately contacted affected customers to notify them of the third-party breach and advise them about protecting their information. The bank worked with the service provider to understand the full scope of the breach and what customer data had been compromised. Bank of Queensland reported the incident to the Office of the Australian Information Commissioner and cooperated with any investigations. The bank reviewed its third-party vendor security requirements and conducted assessments of other service providers with access to customer data. Enhanced due diligence procedures were implemented for vendor selection and ongoing monitoring. Customers were advised to monitor their bank accounts for suspicious activity and to be alert for phishing attempts. The incident highlighted the need for financial institutions to hold third-party providers to the same security standards they apply to their own systems and to maintain strict oversight of vendor data handling practices. +++

Verification Source: View original statement