Cyber Incident Victim: Police & Nurses Limited
Date:
Dec 2019
Location:
Australia
Summary
A customer-owned bank experienced a data breach when attackers compromised a third-party hosting provider during a server upgrade, accessing its separated customer relationship management system. The incident exposed personal information including names, addresses, emails, ages, customer and account numbers, and account balances for approximately 100,000 individuals, though funds, social security numbers, and identification documents remained secure on other systems. The bank immediately disabled the vulnerability source upon discovery, engaged law enforcement, and commissioned a major accounting firm to audit its IT infrastructure while emphasizing existing security measures for account protection.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On or around December 12, 2019, a cyber incident impacted P&N Bank, a customer-owned financial institution based in Western Australia and operating as a division of Police & Nurses Limited. The breach occurred during a server upgrade performed by an unnamed third-party hosting provider that managed systems for the bank. Attackers exploited a vulnerability during this maintenance activity, gaining unauthorized access to the bank's customer relationship management (CRM) platform. This system was segregated from the bank's core banking infrastructure but contained extensive personally identifiable information (PII) for approximately 100,000 individuals. Compromised data included full names, physical addresses, email addresses, ages, customer numbers, account numbers, and account balances. The bank emphasized that more sensitive data—including funds, social security numbers, and identification documents such as driver's licenses or passports—resided on separate systems and remained secure. CEO Andrew Hadley characterized the attack as sophisticated, though it targeted the third-party provider rather than P&N Bank directly.
P&N Bank detected the intrusion shortly after it occurred but delayed public disclosure to avoid compromising law enforcement investigations. Upon discovery, the bank immediately disabled the vulnerability's source and initiated containment procedures. The Western Australia Police (WAPOL) and federal authorities were notified to investigate the breach. An undisclosed Big Four accounting firm—Deloitte, PricewaterhouseCoopers, Ernst & Young, or KPMG—was engaged to conduct a forensic audit of the bank's IT systems. Impacted customers received formal notifications starting in January 2020, approximately one month after the incident, with the bank confirming no evidence of financial fraud or misuse of the exposed data. The breach notification highlighted existing security controls protecting account integrity while acknowledging the exposure of non-financial PII protected under Australia's Privacy Act. No operational disruptions to banking services occurred, as the compromised CRM platform operated independently from transactional systems. The bank maintained that customer funds remained safeguarded by what it described as highly sophisticated security measures throughout the incident.