Westpac sorry for security 'stuff-up'

FULL DISCLOSURE / MARK HAWTHORNE / THE AGE
June 4, 2009

A SECURITY breach has allowed confidential Westpac shareholder information to be included in an official document published on the Australian Securities Exchange website.

A document Westpac released to the ASX in March contains the security holder reference numbers (SRN) and holder identification numbers (HIN) of up to 20 different accounts controlled by global investment bank JPMorgan and retired 65-year-old shareholder Peter Liddle, who resides in the Northern Territory. Such details could be used by share "bottom feeders" such as David Tweed to gain control of the shareholdings.

The addresses and account details of JPMorgan Nominees and Mr Liddle are hidden in white type in the PDF document, which was issued by Westpac company secretary Anna Sandham on March 13.

The details cannot be read — but if the words are highlighted and copied into another document, such as an email, they can be converted into black type.

Several business websites, such as wotnews.com.au, converted the PDF document into text, and in doing so published the SRNs and account details on the internet.

The letter was sent to holders of St George Bank shares and hybrid securities, offering the chance to convert them into new Westpac securities. The two banks merged last year.

A spokeswoman for JPMorgan said she was "astonished" to learn Westpac was responsible for the security breach, but assured the bank's institutional customers that their shares were safe. "These are nominee accounts and no transfer of the shares can be done without the approval of the actual account holder," said Claire Linton-Evans.

Such safeguards are not in place for retail shareholders such as Mr Liddle, who only discovered his account details were public knowledge when BusinessDay contacted him.

"I'm absolutely horrified to find that all of my personal account details can be read on the internet," Mr Liddle said. "I've already had that Tweed bloke trying to get his hands on my wife's Woolies shares once this year, and my SRN is on the internet. It's my 65th birthday today, and now I have to sort out this mess."

Westpac spokesman David Lording admitted that a "stuff-up" had led to the release of the information. "It was our mistake, it was our fault, and we have already apologised to the people affected," Mr Lording said. "We contacted them today and apologised, and will be implementing new procedures to ensure it doesn't happen again."

Mr Lording said he was aware the information had "originated" in an official release from the bank to the ASX. "Somehow the information was in that document. It was an inadvertent mistake, not a deliberate one, and we apologise to the shareholders affected."