One of Australia’s big 4 banks has found out the hard way that it’s a good idea for a large company to obtain its top level domain. Not just the country code Top Level Domain that the company operates in. The bank, NAB, formerly National Australia Bank, sent the account details of over 60,000 customers to firstname.lastname@example.org instead of email@example.com.
The owner of nab.com is domain investor David Weissenberg of Real Assets Limited who owns hundreds of domain names, including many porn-related domains.
According to a report in news.com.au, “NAB wrote to customers last month apologising for the data breach, which took place in 2012 and exposed customer names, addresses, email addresses, BSB and account numbers, but not passwords.”
“The customers affected were those living outside of Australia at the time and holding accounts set up by NAB’s migrant banking team.”
“We understand that the email address to which the correspondence was incorrectly sent is not actively used and our customers’ emails have not been wrongfully used,” NAB’s executive general manager for international branches Peter Coad told the Australian Financial Review in another article.
“Although this has been a complex process involving multiple international jurisdictions, all parties – including the email account owner – are taking this extremely seriously and NAB is working hard to resolve this matter.”
Mr Weissenberg and his company own the domain name nab.com and nab.net. At the time of publication of the AFR article, the domain nab.com was hosting a dating website, however the domain name doesn’t appear to be resolving at the time of writing this article.
While none of the accounts appear to have been compromised to date, and the owner of the .com domain alerted the bank to the problem, there are a few lessons. Another is the data sent in the email appears to have been unencrypted, which was a huge mistake. And for large companies using a ccTLD domain it would be advisable to also register the major gTLD domains too.