New Payments Platform Australia Exposed PayID Records Due to Client-side Technical Issues

• PayID records were exposed by a vulnerability in one of the financial institutions sponsored by Cuscal Limited.
• The exposed PayID records include PayID names and the associated account numbers.

What’s the matter?

Australia’s New Payments Platform (NPP) disclosed that PayID records and associated data in the Addressing Service were exposed in a data breach.

What was exposed?

The exposed PayID records include PayID names and the associated account numbers. However, NPP confirmed that none of the exposed data can enable the withdrawal of funds from a customer’s account.

What is the reason behind the data breach?

• PayID records were exposed by a vulnerability in one of the financial institutions sponsored by Cuscal Limited.
• Cuscal confirmed that client-side technical issues were the reason behind the exposure.
• Upon discovery, Cuscal identified the client-side technical issues and resolved them immediately.

What actions are being taken?

• NPP has notified the financial institutions whose customer details have been exposed so that they can take the necessary action.
• NPP Australia has implemented regulations to monitor, detect and shut down any attempts to misuse the PayID service.

“These regulations incorporate suspension of access to the PayID service by organisations not meeting these requirements, and were recently strengthened by the introduction of non-compliance charges which are expected to be also applied where these controls are not implemented,” NPP Australia said.

“Cybersecurity is an issue of paramount importance to NPP Australia. As part of our ongoing commitment to uplifting cybersecurity controls across the NPP ecosystem and following a similar event in June, we recently commenced implementation of more targeted cybersecurity requirements upon participating institutions, increasing assurance requirements and testing end point security to ensure that the controls are executed as intended,” NPP added.