Unit Code and Title: SBM4302 IT Audit and Controls
Assessment 2: Case Study
|Due date:||Week 7|
|Word count / Time provided:||2000 words|
|Unit Learning Outcomes:||ULO1, ULO2, ULO3, ULO4, ULO5|
This assessment is designed to assess students’ ability to apply theoretical learning to practical, real world situations. In this assessment students are given a sample case study and asked to comment upon it. In particular, emphasis on the reason(s) behind the situation that unfolded and actions that could have been taken to prevent such incidents from occurring.
Case Study: NAB Data Breach
On the 26th July 2019, National Australia Bank (NAB) which is the 4th largest bank in Australia, contacted approximately 13,000 customers to advise that some personal information provided when their account was set up was uploaded, without authorisation, to the servers of two data service companies. NAB’s security teams have contacted the companies, who advise that all information provided to them is deleted within two hours.
NAB Chief Data Officer, Glenda Crisp, said the compromised data included customer name, date of birth, contact details and in some cases, a government-issued identification number, such as a driver’s licence number. “We take the privacy and the protection of customer information extremely seriously and I sincerely apologise to affected customers. We take full responsibility,” she said. “The issue was human error and in breach of NAB’s data security policies.” Ms Crisp said it was not a cyber-security issue. No NAB log-in details or passwords have been compromised – and NAB’s systems remain secure.
“Our number one priority is to support our customers. We are moving quickly to proactively contact every person affected.”
NAB called, emailed or written to each impacted customer individually. A dedicated, specialist support team was in place, available to them 24/7. If government identification documents need to be reissued, NAB would cover the cost. NAB would also cover the cost of independent, enhanced fraud detection identification services for affected customers. Importantly there is no evidence to indicate that any of the information has been copied or further disclosed.
NAB is advising impacted customers that they do not need to take any action with their account. “We have reviewed these customers’ accounts, over and above our rigorous normal checks, and have not identified any unusual activity. We will continue to monitor 24/7 to protect our customers’ accounts,” Ms Crisp said. NAB also notified and was working with industry regulators, including the Office of the Australian Information Commissioner. Ms Crisp said: “We take full responsibility. We can assure you that we understand how this happened and we are making changes to ensure this does not happen again.”
On further development, NAB CEO admitted that it is difficult to invest huge amount of money in information security compared to the industry leaders like Microsoft, Google, Amazon. His opinion was to leverage on the infrastructure created by these companies i.e. through cloud computing.
For solution, connect with online professionals.