Westpac accepts no blame in security breach

Liam Tung, ZDNet Australia

24 July 2007

http://www.zdnet.com.au/news/security/soa/Westpac-accepts-no-blame-in-security-breach/0,130061744,339280311,00.htm?omn


Westpac has admitted that the details of around 1,400 Virgin credit card customers were exposed last week when its system security was breached, but Australia's fourth largest bank has washed its hands of any blame.

A spokesperson for Virgin Money, which partners with Westpac to run the credit card accounts, confirmed that the incident affected 0.2 percent of its 700,000 customers -- that is 1,400 card holders.

Virgin credit card holders received letters last week explaining that their cards had been cancelled because of a "high risk compromise", which may have resulted in their "account details being compromised".

The security breach, according to a Westpac spokesperson, was "related to transactions made by a third-party vendor" through another bank's payment gateway.

Westpac, Virgin -- and any other financial institution in Australia -- are under no obligation to make security breaches public, unlike their US-based counterparts, which means that similar incidents could go unreported.

In Europe, Japan and, most notably the US, under the 2002 Californian Bill 1386, legislation exists which requires organisations to report breaches to affected customers and the stock exchange, but under the current Privacy Act, Australian organisations face no such conditions.

According to US-based privacy watchdog, the PrivacyRights Clearing House over 150 million breaches have occurred since 2005 in the US alone. The latest breach to be reported in the US involved 867,000 unencrypted military personnel records being compromised.

This breach is the latest in a string of problems affecting Westpac -- and is not the first time the bank has levelled blame at a third-party.

In June last year, Westpac's CSO called its decision to outsource all its security to IBM a "blunder". David Backley, Westpac's chief information security officer (CISO) then said the bank had been battling IBM over security governance, stemming from Westpac's 10 year IT services contract with IBM Global Services.

Last October, Westpac's customers also experienced severe disruption when "multiple hardware failures" hit the bank's IT systems over a four day period.

When Westpac's 16,500 Automatic Teller Machines, EFTPOS network, online banking and several bank branches were crippled by a power outage last month, Westpac pointed the finger at IBM.

Westpac said it was considering bumping up security measures last month after a DoS attack once again disrupted its systems.


main page ATTRITION feedback