Bank in Australia have begun sending data breach notifications to customers following the exposure of an undisclosed number of PayID records in the country's real-time New Payments Platform.
NPP Australia has advised that a number of PayID records and associated data in the Addressing Service were exposed by a vulnerability in one of the financial institutions sponsored into the NPP by Cuscal Limited.
A PayID is a unique, user-specific number registered with the customer's bank and linked to a nominated bank account and can be a phone number, email address, or an Australian Business Number (ABN).
"The affected data included PayID name and account numbers," says NPP. "None of the details involved can, on their own, enable the withdrawal of funds from a customer’s account without the customer’s specific further involvement."
Financial insitutions whose customer details have been exposed have begun warning customers of a "sophisticated PayID scam", warning that data, including mobile numbers, email address, customer name, BSB and account numbers may have been disclosed.
The incident is the second to hit PayID since June, when Westpac was targeted with large-scale abuse of PayID's address lookup function.
"Cybersecurity is an issue of paramount importance to NPP Australia," says the payment system operator in a statement. "As part of our ongoing commitment to uplifting cybersecurity controls across the NPP ecosystem and following a similar event in June, we recently commenced implementation of more targeted cybersecurity requirements upon participating institutions, increasing assurance requirements and testing end point security to ensure that the controls are executed as intended."