Western Australia’s largest mutual bank, P&N Bank, has revealed it sustained a “criminal” breach of its customer relationship management (CRM) system, potentially exposing customers’ personal data.

A statement by P&N Chief Executive Andrew Hadley said the incident occurred around the 12 December last year targeting a data hosting service used by the bank. The bank was reportedly struck during a server upgrade.

“The fault lies with a third party which the bank uses to provide hosting services,” Hadley said. “Upon becoming aware of the attack, we immediately shut down the source of the vulnerability.”

While the bank stressed that its core banking system remains “completely isolated and separate from the impacted system”, a laundry list of personally identifiable information (PII) may have been accessed during the attack. This includes customers’ names, addresses, emails, phone numbers, customer numbers, ages, account numbers, account balances and “other non-sensitive information that could be included in [its] records of interactions with customers”.

While P&N has yet to reveal the number of customers affected or any suggestion of the severity of the breach, it stressed that “no-one has been exposed to financial risk”, with customer funds, credit card details, and banking passwords isolated from attack.

The WA-based mutual said it is “working closely with the West Australian Police Force (WAPOL) and relevant federal authorities” to investigate the breach.

The Police & Nurses Credit Society (the precursor to P&N Bank) formed in the 1990s with the merger of the Police Credit Society of Western Australia Ltd and the Western Australia Nurses Credit Society Ltd.

Owing to its unique history, a significant portion of P&N’s members remain law enforcement officers and medical workers.