In that event, scammers compromised 98,000 PayIDs with 600,000 PayID lookups over six weeks.
Dr Haskell-Dowland said that, although bad actors were not able to directly access bank accounts with the details obtained, it provided the seed of a broader scam incident.
"You've got the potential for what we call a phishing attack," he said. "They've now got means of contacting customers through their email/phone number and can confirm they have their PayID name, this could lead to vulnerable individual disclosing snesitive information."
With this information, scammers could contact customers with enough authenticity to convince others that they are actually from the bank and trick them into handing over more sensitive information.
Dr Haskell-Dowland said even simple measures – like a limit on the number of lookups an individual can make or an artificial intelligence algorithm that identifies searching patterns – should have been in place.
"Those protections should have been in place since the beginning or at least after the June breach," he said.
"That prior incident should have caused a complete review of the system ... I think there is a level of responsibility on the NPPA to protect their infrastructure better."
Chief executive of NPPA Adrian Lovney said the body had taken steps to increase its cyber security since June.
Advertisement
"We recently commenced implementation of more targeted cyber security requirements upon participating institutions," he said.
The latest hack brings the total number of personal details gleamed from the PayID system in recent months to almost 200,000. Arsineh Houspian
The most recent breach came through CUA's systems; however, sever ..
Support the originator by clicking the read the rest link below.
