A recent revelation by Dvuln, an Australian tech security firm, has uncovered that the personal banking information of over 30,000 Australians has been compromised and found online over the past four years. This data breach involves several major Australian banks, including the Commonwealth Bank, NAB, ANZ, and Westpac. Notably, the theft was attributed not to breaches of banking systems, but rather through malicious software known as “infostealer malware,” which infiltrated customers’ devices.
The research indicates that details of around 10,000 customers from one bank, and upward of 7,000 from others, were detected on “infostealer logs,” platforms where cybercriminals exchange and sell such stolen information. Dvuln has cautioned that these findings only represent a small fraction of the ongoing illicit activities targeting Australians.
While multi-factor authentication is widely used for accessing banking services, Dvuln emphasises that it is not a foolproof safeguard against these types of cyber threats. The report highlights the need for collaborative efforts among financial institutions, government, cybersecurity experts, and the public to close the gaps that exist between endpoint compromises and financial exploitation.
Anna Bligh, CEO of the Australian Banking Association, confirmed that the data access occurred through personal devices, rather than any lapse in security by the banks themselves. She reassured that online security remains a top priority for the banks, which are continually investing in advanced measures to protect their customers, including monitoring for compromised credentials across both the open and dark web.
Customers are advised to remain vigilant, with recommendations to create strong, unique passwords, regularly update them, and utilise reliable antivirus software. Additionally, monitoring account activities and setting up transaction notifications are encouraged. If customers suspect any irregularities, they should promptly contact their bank.
The Australian Signals Directorate (ASD) has indicated that they are actively combating the cybercriminal threats faced by the nation, noting that infostealer malware presents a persistent risk. In the fiscal year 2023-24, the ASD received over 87,400 reports of cybercrime, with identity fraud being the most prevalent issue reported.
In summary, the safety of banking credentials is increasingly challenged by sophisticated malware, urging both institutions and individuals to bolster their security practices amidst a rising tide of cybercrime.