Security Bulletin : Police and Nurses CRM Breach

15th January 2020

If you have received an email from the WA Financial Institution you might be a little confused or concerned.

The notice from Police and Nurses states that the bank’s Customer Relationship Management System (CRM) was accessed illegally via a third party provider around December 12 2019.

So we can say that the bank itself was not breached but a business providing services to the bank was compromised granting access to attackers.
After gaining access, it is understood that the attackers downloaded information in the CRM with either the intent to use it themselves or sell the information on the black market.

This information includes:
Name, address, email, phone number, customer number, age, account number, account balance and other “non sensitive information” according to the notice.

This information does NOT include:
Password, Drivers license information, Passport Number, Social Security Number, Tax File Number, Credit Card details, birth date or other sensitive or health related information.

While on the surface, this does not seem to be serious there is more to this than you would think at first glance.

The information included in the breach may not be regarded as “critical” but this data can be harvested and used in other ways.

Scammers can use this personally identifiable information in a number of ways to either create a new identity or fool customers or others into believing they are being contacted by the bank where they could be in contact with scammers.

If you are a Police and Nurses customer you should be considering the following:

There is a high likelihood that you may be targeted in scams via telephone call, SMS, email or social media claiming to be from Police and Nurses or other financial or government institutions using personal information to lend weight to the scam.

If you are contacted and you are suspicious, it is recommended that you contact the organisation directly via listed contact details to confirm that the contact is legitimate.
If you are in doubt, please contact a trusted cybersecurity advisor for clarification or more information.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.