NPP Australia PayID solution suffers data breach

NPP Australia has disclosed “a number” of PayID records and associated data were recently exposed by a client-side vulnerability at an unnamed financial institution.

The unnamed institution were sponsored into the platform by payment processing firm Cuscal, who said the issue was “identified and resolved immediately.”

The affected data included PayID name and account numbers, of which NPP said: “none of the details involved can, on their own, enable the withdrawal of funds from a customer’s account without the customer’s specific further involvement.”

PayID is an NPP-based service that enables payments to be made using alternative identifiers, such as a person’s email address or mobile number.

A PayID removes the need for previously required banking information, BSB and account number and can only be used to put money into an account.

NNP said financial institutions whose customer details have been exposed have been provided with details so that they can take the necessary action. 

The firm concluded: “Cybersecurity is an issue of paramount importance to NPP Australia. 

“As part of our ongoing commitment to uplifting cybersecurity controls across the NPP ecosystem and following a similar event in June, we recently commenced implementation of more targeted cybersecurity requirements upon participating institutions, increasing assurance requirements and testing end point security to ensure that the controls are executed as intended.”

The NPP launched in February last year, developed by collaboration between the Reserve Bank of Australia (RBA), the Commonwealth Bank of Australia (CBA), the National Australia Bank (NAB), the Australia and New Zealand Banking Group (ANZ) and Westpac, which hold around 95% market share of the entire Australian finance industry between them.