P&N Bank

Police and Nurses (P&N) Bank, Western Australia's largest customer-owned bank, suffered a data breach affecting approximately 96,000 members when attackers gained unauthorised access to the bank's customer relationship management (CRM) system during a server upgrade.

What Happened

During a routine server upgrade of P&N Bank's CRM platform on 12 December 2019, unauthorised actors gained access to customer data. The breach was detected in early January 2020, with the bank notifying affected members on 15 January 2020. A third-party hosting company hired by P&N Bank was believed to be the entry point for the attack.

The compromised information included customer names, ages, residential addresses, email addresses, phone numbers, customer identification numbers, account numbers, and account balances. The bank's core banking system remained isolated and unaffected, meaning passwords, tax file numbers, driver licence details, passport numbers, and credit card numbers were not exposed.

Impact on Individuals

Affected customers faced risks of targeted phishing attacks and identity fraud due to the exposure of contact details and account information. While no financial credentials or identity documents were stolen, the combination of personal details and account balances could enable social engineering attacks.

Organisational Response

P&N Bank immediately shut down the vulnerability upon detection and engaged WA Police and federal authorities. The bank advised customers to remain vigilant for suspicious communications and implemented additional security measures. The swift isolation of affected systems and engagement with law enforcement reflected standard incident response protocols for financial institutions.