The bank sent a disclosure notice to customers on 2 November, suspending all the affected accounts. Customer information that may have been accessed includes full names, mailing addresses, phone numbers, email addresses, dates of birth, account numbers, account types, account balances, transaction history, payee account information, and statement history.
The breach may have occurred through a technique called credential stuffing, in which hackers who have stolen passwords for other websites try them out on an online banking site, under the assumption that people use the same passwords everywhere they go on the web.
The bank uses Captcha in order to boost authentication for online banking, as it uses visual images and a challenge-response test to determine if a log-on attempt is being made by a human.
However, the customer letter came out 19 days after the breach occurred. In data breaches, disclosure comes usually several months after an attack. This quick reporting time may be a result of regulatory pressure, as Europes General Data Protection Regulation requires companies to disclose personal data breaches to regulators and affected customers within 72 hours of becoming aware of them.
The Paypers is the Netherlands-based leading independent source of news and intelligence for professional in the global payment community.
The Paypers provides a wide range of news and analysis products aimed at keeping the ecommerce, fintech, and payment professionals informed about the latest developments in the industry.
Current themes
No part of this site can be reproduced without explicit permission of The Paypers (v2.7).
Privacy Policy / Cookie Statement
Copyright