This is a work in progress. While we strive for accuracy, some breach details may be incomplete or pending verification.

National Australia Bank (NAB)

Summary

National Australia Bank disclosed in July 2019 that the personal information of approximately 13,000 customers had been exposed due to human error when data was uploaded to the servers of two service providers without proper security controls. The breach, announced late on a Friday evening, involved customer contact details and account information. NAB attributed the incident to a mistake by staff members rather than a cyber attack, but the exposure highlighted vulnerabilities in how major banks handle customer data across their supply chains.

What Happened

Misconfiguration. NAB staff members mistakenly uploaded a dataset containing the personal information of 13,000 customers to the servers of two service providers without implementing appropriate security measures. The exposed data included names, email addresses, physical addresses, phone numbers, dates of birth, and bank account numbers. While NAB stated there was no evidence the data had been accessed by unauthorised parties, the information was potentially vulnerable during the period it remained on the service provider systems without proper access controls. The bank discovered the error during an internal review and immediately secured the exposed data.

Impact on Individuals

  • Comprehensive Personal Data: Full contact details and account information exposed
  • Identity Theft Risk: Combination of personal and banking details valuable for fraud
  • Phishing Targeting: Verified customer information enabled convincing bank impersonation scams
  • Account Security: Customers needed to be extra vigilant for suspicious banking activity
  • Trust Concerns: Customers questioned bank's data handling practices and staff training

While NAB stated there was no evidence of unauthorised access, the exposure of banking customer data created ongoing risks for affected individuals.

Response

NAB immediately secured the exposed data and removed it from the service provider servers. The bank notified all 13,000 affected customers via mail and reported the breach to the Office of the Australian Information Commissioner. NAB publicly attributed the incident to "human error" and stated it had implemented additional controls to prevent similar mistakes. The bank conducted a comprehensive review of its data handling procedures, particularly around the use of third-party service providers. NAB advised affected customers to monitor their accounts for suspicious activity and to be alert for phishing attempts. The timing of the announcement—late on a Friday evening—drew criticism from consumer advocates who questioned whether the bank was trying to minimise public attention to the breach. +++

Verification Source: View original statement