Around 80 Westpac customer account passwords were reset and then shared with a mortgage broker, according to new information gathered under a Freedom of Information request.
Evidence obtained by the ABC’s 7:30 program revealed that, of the 32 privacy infractions that the big four banks reported to the Office of the Australian Information Commissioner (OAIC) between January 2012 and April 2018, one involved a Westpac relationship manager resetting the passwords of 80 customer accounts and sharing them with a mortgage broker.
Marten Pudun of Glenwood, NSW, was employed as a relationship manager in Westpac’s premium banking section between September 2012 and March 2016, throughout which he “knowingly or recklessly” gave false documents and information to the major bank to help his clients obtain home loans on 24 occasions, according to the Australian Securities and Investments Commission (ASIC), which permanently banned Mr Pudun from engaging in any credit activities, effective 24 July.
The corporate regulator also found that the Glenwood banker* had “provided confidential customer information to third-party brokers”.
At the time of announcing the ban, ASIC said: “Mr Pudun also violated Westpac’s policy of sharing customer personal information, including internet and telephone banking passwords, client account opening forms, transaction histories and identification documents with external third parties.”
In notifying the OAIC of the infraction, Westpac stated: “Initially, we identified this with respect to some Westpac customers who obtained mortgage loans through this group of mortgage brokers in particular and relate to temporary passwords established when the customer originated their banking online.
“While our investigations into the extent of the problem continue, we have identified about 80 clients that we believe have been affected and we are beginning a process to contact them.
“A (now former) Westpac employee appears to have reset the passwords of customers and provided the temporary reset password to employees of the mortgage broker group.”
Westpac has not disclosed the identity of the broking group to The Adviser, nor any other new information pertaining to Mr Pudun’s actions while employed at the bank.
A spokesperson from the major bank reiterated that since the breaches were uncovered, Westpac had “proactively” reported them to the OAIC, then introduced new systems, procedures and training for employees to better handle customer information.
The spokesperson also maintained that no customers had been identified as experiencing any financial loss as a consequence of Mr Pudun’s actions.
Westpac reported 18 information breaches to the OAIC between January 2012 and April 2018, while NAB reported nine, CBA reported three and ANZ reported two.
On 22 February, the Notifiable Data Breaches (NDB) scheme came into effect, requiring businesses with existing personal information security obligations under the Privacy Act to notify individuals whose personal information is involved in a data breach that is “likely to result in serious harm”. This could include the loss of a smartphone or laptop, accidentally emailing personal information to the wrong recipient or personal files being hacked.
While the Privacy Act generally does not include small businesses that generate less than $3 million in annual revenue, the NDB scheme will apply to businesses that trade in personal information and to people in possession or control of a record with tax file number information, among others.
Relevant brokers also have to notify the OAIC of “eligible” data breaches, such as the loss of unencrypted memory sticks that contain personal information.
*This story was updated on 12/09/2018 to reflect that Mr Pudun was a Glenwood banker.
[Related: New data breach law comes into effect]
Tas Bindi is the features editor for The Adviser magazine. She writes about the mortgage industry, macroeconomics, fintech, financial regulation, and market trends.
Prior to joining Momentum Media, Tas wrote for business and technology titles such as ZDNet, TechRepublic, Startup Daily, and Dynamic Business.
The major bank has said that it is taking ASIC’s legal action ...
The broking franchise group has released its full-year results, r...
Major aggregator AFG has announced the addition of a new small-bu...