The bank sent a disclosure notice to customers on 2 November, suspending all the affected accounts. Customer information that may have been accessed includes full names, mailing addresses, phone numbers, email addresses, dates of birth, account numbers, account types, account balances, transaction history, payee account information, and statement history.
The breach may have occurred through a technique called credential stuffing, in which hackers who have stolen passwords for other websites try them out on an online banking site, under the assumption that people use the same passwords everywhere they go on the web.
The bank uses Captcha in order to boost authentication for online banking, as it uses visual images and a challenge-response test to determine if a log-on attempt is being made by a human.
However, the customer letter came out 19 days after the breach occurred. In data breaches, disclosure comes usually several months after an attack. This quick reporting time may be a result of regulatory pressure, as Europes General Data Protection Regulation requires companies to disclose personal data breaches to regulators and affected customers within 72 hours of becoming aware of them.
Every day we send out a free e-mail with the most important headlines of the last 24 hours.
Subscribe now