"On Friday 16 August, CUA's payment provider Cuscal alerted us to mis-use of the PayID service. CUA took immediate action to stop this activity and put in place controls to protect against a recurrence," the spokeswoman said in a statement. "Some information attached to individuals' PayIDs was accessed. No financial transactions took place and nor can the information accessed be used, on its own, to enable financial transactions. "Information security is obviously of paramount importance. We are deeply disappointed this occurred and apologise to those affected," the statement said. PayID, a function of the New Payments Platform (NPP), allows banking customers to use their phone number or email address to identify their account for real-time payments, instead of having to remember their BSB and account number. Cuscal informed affected clients of the breach last week and put in place additional alerting "to mitigate against further incidents", its statement said.

Both the Australian Prudential Regulation Authority (APRA) and the Office of the Australian Information Commissioner (OAIC) were informed by the client, Cuscal said. The big four banks have each confirmed their customers were among those affected by the breach. A spokesman for ANZ said it was informed by New Payments Platform Australia on August 17 of a data exposure involving another member of the NPP. "PayID information may have been accessed without authority through another financial institution which uses Cuscal to offer PayID transactions on the New Payments Platform," the spokesman said. "The exposure led to the harvesting of PayID details linked to a number of mobile phone numbers. Of those, a small number of mobile numbers were linked to PayIDs registered to ANZ customers," he said.

Loading The spokesman said ANZ understood the information disclosed included the affected users' full name, PayID nickname, mobile number, BSB and account number. However, he said ANZ's monitoring had not detected any fraud as a result of the disclosure. A Westpac spokeswoman also confirmed "a relatively small number" of its customers were affected following "an incident at another financial institution which has resulted in the disclosure of PayID account data of a number of individuals". Customers of Westpac-owned Bank of Melbourne, BankSA and St.George were not affected, she said. Commonwealth Bank and NAB also confirmed they had customers who were affected. Partner at McGrathNicol Advisory, Shane Bell, said data breaches were inevitable in a digital world. But he added that such breaches raised an important question about the relationship between the "ecosystem" –payment providers, banks and consumers – and who is responsible for these incidents.