The financial institution at the centre of the giant personal information data breach — Queensland-based credit union CUA — was where the disaster started with the misuse of their system was detected earlier this month.

This allowed scammers to access the personal banking information of more than 90,000 Australians across dozens of institutions.

The New Payments Platform (NPP) was rolled out in 2018 and chief executive officer Adrian Lovney told News Corp he was “deeply concerned” by the breach.

There are more than 65 million bank accounts connected to the NPP across 80 Australian financial institutions.

During the breach scammers successfully accessed customers’ PayIDs and their linked information including phone numbers, customer names, BSB and account numbers.

“There is a risk that customers whose accounts were targeted in this activity could be at risk of a scam text or email,” Mr Lovney said.

“A majority of customers were from the big four banks.

“Banks have put in additional protections over their accounts which may not be visible to them.”

He said only impacted customers would have been notified of the breach.

So while no money has been reported as being lost yet there remains a possibility this could occur.

Customers have been warned they might receive a fraudulent SMS saying their account had been suspended and it included a link to click on.

They have been urged to not respond and to delete it.

Mr Lovney said heightened controls including lowering customer account limits and upping scrutiny on customers when they pay somebody for the first time has been ramped up.

The big four banks — Commonwealth Bank, Westpac, ANZ and National Australia Bank are among those who have issued warnings to impacted customers in recent weeks.

MORE NEWS

Urgent warning after bank customers hacked

When paying tax is a good thing for Aussie investors

Banks hand out cash and wine to those who switch

In 2018, banks started to roll out the option to customers to register for a PayID.

This meant they no longer needed to disclose their BSB and account numbers when being sent money by somebody else.

Mr Lovney said the issue was “extremely troubling” and the NPP was “deeply concerned about this incident”.

“We have begun work on a series of changes to our rules and system which are designed to increase the controls,” he said.

“They are all determine to see the rules around access and how the database is accessed is strengthened to prevent this from repeating itself.”

This has included introducing the ability for the NPP to fine banks who fail to have proper customer protections in place.

The NPP is owned by nearly all of the banks and financial institutions in Australia.

The NPP has also allowed transactions between institutions to speed up and often be done in real time instead of sometime daylong delays.

More than 3.5 million Australians have registered a PayID.

Less than 10 per cent of transactions made nationally use a PayID instead of a person or business’s BSB and account number.

Both the Australian Prudential and Regulation Authority and Office of the Australian Information Commissioner have been notified.

sophie.elsworth@news.com.au

@sophieelsworth