It’s refreshing to see an actual acknowledgment, seemingly-sincere apology, and clear details of what they’re going to do about it.<p>Their official statement:<p><a href="https://news.nab.com.au/nab-apologises-to-customers-for-data-breach/" rel="nofollow">https://news.nab.com.au/nab-apologises-to-customers-for-data...</a>
I once worked as a contractor at NAB. The kickstart file with root password, which was unchanged, for a 450M AUD corporate banking project was stored on a SMB share accessible to everyone in the bank. Project leaders didn't care (since it would involve work to fix). I eventually had to raise it as a hint to a friendly pentester who included it in their report, finally getting it fixed.
Name, date of birth and contact details (phone and address) are often enough data for a fraudster to commit some serious damage. If I call up my phone company or bank that's probably going to cover the questions they ask me to prove identity. Someone transferring my phone can then get past any 2FA I hold.<p>At what point do we hold NAB liable for the potential damage they have caused?
i hope the boffins who mandated weaker encryption take notice of this. The congress members who supported the bill for weaker encryption should be personally DOSed.