Skip to content ↓ | Skip to navigation ↓

A large Australian bank exposed 60,000 of its customers’ account details after it inadvertently sent an email to the wrong recipient.

National Australia Bank (NAB), which was one of the targets of sophisticated Android malware in March 2016, disclosed the data leak in December.

It appears a former NAB employee sent confirmation emails to 60,000 new customers. All of the new account holders were migrants who had created accounts with NAB’s migrant banking team. The confirmation emails provided them with their Bank State Branch (BSB) number, account number, and NAB number. They also contained several pieces of personal information including the customers’ name, address, and email address.

On each email they sent out, the employee CC’ed NAB so that the bank could retain a copy. Or so they thought. They CC’ed nab.com instead of nab.com.au, a domain which the bank owns.

NAB’s executive general manager for international branches Peter Coad was quick to own up to the bank’s mistake. As quoted by the Australian National Review (ANR):

“We also take full responsibility and we sincerely apologise to our customers for this mistake. The error was caused by human error and identified following our own internal checks and as soon as we realised what had happened we took action.”

warracknabeal_national_australia_bank
Warracknabeal National Australia Bank (Source: Wikimedia Commons)

By digging into the data leak, NAB learned that Google hosts the server where the employee sent the email. The bank contacted Google and asked for its help in tracking down the data. The tech giant refused to do anything without a court order, so NAB filed a motion against Google.

At the bank’s request, a northern Californian court dismissed the case on 30 December. That might be because the bank decided to adopt a different strategy.

Indeed, NAB is now working directly with David Weissenberg of Real Assets Limited–the owner of nab.com. Coad feels this strategy will help the bank get to the bottom of what happened to the data. As he told ANR in an updated report published 9 January:

“We understand that the email address to which the correspondence was incorrectly sent is not actively used and our customers’ emails have not been wrongfully used. Although this has been a complex process involving multiple international jurisdictions, all parties – including the email account owner – are taking this extremely seriously and NAB is working hard to resolve this matter.”

At this time, it’s believed the information reached an inactive email address associated with nab.com. But that remains to be seen. While NAB continues to investigate the data leak, it’s said it will monitor all 60,000 affected customers’ accounts for fraudulent activity.

Organizations should use NAB’s example to try to reduce the risk of one of their employees sending an email to the wrong recipient. They can do so by encrypting emails that won’t automatically decrypt if they’re sent by email and by using an outbound email filter.