Westpac bank breach: Former manager shared banking password of dozens of customers

  • Marten Pudun, an ex-manager, had reset the passwords of the accounts before sharing the credentials with a mortgage broker.
  • In July 2018, the (ASIC) permanently banned Pudun, thus preventing him from engaging in credit activities.

The Australian bank Westpac suffered a data breach after one of the managers of the bank shared the banking password of 80 customers to a mortgage broker. The man in question is a former relationship manager named Marten Pudun. He managed to reset the passwords of customer accounts before handing them over to the broker.

"A (now former) Westpac employee appears to have reset the passwords of customers and provided the temporary reset password to employees of the mortgage broker group," the bank said in a breach notification to the Office of the Australian Information Commissioner (OAIC) in July 2017, the ABC reported.

"We initially identified this with respect to some Westpac customers who obtained home loans through this particular mortgage broker group and relates to temporary passwords established when the customer originated their online banking,” Westpac added.

However, the bank told OAIC that they had not identified any unauthorized transaction activity at the time of the notification.

According to the information obtained by ABC News, under Freedom of Information laws, the Westpac breach is one of the 32 breaches among suffered by the four largest Australian banks. The breach is also Australia’s fourth largest breach to be disclosed to the OAIC between January 2012 and April 2018.

Pudun was banned by ASIC

In July 2018, the Australian Securities and Investments Commission (ASIC) permanently banned Pudun, thus preventing him from engaging in credit activities.

When he was banned in July, ASIC said, “Mr Pudun also breached Westpac policy in sharing personal client information including internet and telephone banking passwords, customer account opening forms, transaction histories and identification documents with external third parties”, the Daily Mail reported.

Meanwhile, Westpac is continuing its investigating and has vowed that it is committed to protecting the data of its customers.

“When we make mistakes, we make sure we put it right by remediating affected customers, informing all relevant authorities, making process changes to prevent similar incidents, and where necessary, taking disciplinary action against employees who are found to have done the wrong thing in accordance with our Westpac Group Code of Conduct,” a Westpac spokesperson told ABC news.