PayID records have been exposed by a client-side vulnerability at an unnamed financial institution.
The issue was revealed by NPP Australia, the company co-owned by 13 financial groups including the ‘Big Four’ banks that share the co-developed New Payments Platform, a real-time payments platform.
Data including PayID names and account numbers were exposed by an unnamed financial institution introduced to NPP by payment solutions provider Cuscal Limited.
Cuscal advised that the technical issues leading to the exposure was immediately resolved, though didn’t mention how many PayID customers' records were affected.
NPP also noted that a PayID name and account number aren’t enough to make a withdrawal without specific involvement from the customer.
“NPP Australia has regulations in place that prohibit disclosure of account data and that require participating financial institutions to have controls to monitor, detect and shut down any attempts to misuse the PayID service,” the company said in a statement.
“These regulations incorporate suspension of access to the PayID service by organisations not meeting these requirements, and were recently strengthened by the introduction of non-compliance charges which are expected to be also applied where these controls are not implemented.”
NPP added that it has since commenced implementing more targeted cybersecurity requirements for its members in an effort to shore up its security controls.