This is a work in progress. While we strive for accuracy, some breach details may be incomplete or pending verification.

PayID / NPP Australia

Summary

PayID, Australia's real-time payments system operated by NPP Australia, suffered a data breach in August 2019 that exposed personal banking information of tens of thousands of customers across the Big Four banks and other financial institutions. The breach compromised the payment system that allows Australians to make instant bank transfers using mobile numbers or email addresses instead of BSB and account numbers. Banks immediately notified affected customers and tightened security measures.

What Happened

Hacking. Cybercriminals gained unauthorised access to the PayID database, which links customers' mobile phone numbers and email addresses to their bank accounts for instant payment transfers. The attackers accessed information that could reveal which bank customers used and their registered PayID details. While the breach did not directly expose account balances or enable fraudulent transfers, the compromised data provided scammers with valuable information for targeted phishing attacks and social engineering schemes. The breach occurred within Australia's New Payments Platform infrastructure, raising concerns about the security of the country's evolving digital payments ecosystem.

Impact on Individuals

  • Phishing Risk: Scammers could use knowledge of customers' banks and contact details for targeted fraud attempts
  • Social Engineering: Information enabled more convincing impersonation of banks in phone and email scams
  • Privacy Invasion: Linkage between contact details and banking institutions exposed
  • Trust Erosion: Concerns about security of new payment infrastructure undermined confidence in PayID adoption
  • Account Security: Banks advised customers to be extra vigilant for suspicious contact attempts

The breach was particularly concerning because it affected a relatively new payment system that banks were actively promoting to increase adoption.

Response

NPP Australia and participating banks immediately launched an investigation into the breach and implemented additional security measures to prevent further unauthorised access. The Big Four banks—Commonwealth Bank, Westpac, NAB, and ANZ—directly notified affected customers and warned them to be alert for phishing attempts. Banks advised customers not to respond to unsolicited calls or emails requesting account information or passwords. Financial institutions reinforced their security protocols and conducted comprehensive security reviews of the PayID system. The Australian Payments Network and participating banks worked with cybersecurity experts to strengthen the platform's defences. Regulators were briefed on the incident and the steps being taken to enhance security across Australia's payments infrastructure. +++

Verification Source: View original statement