[MRD85]

Name, date of birth and contact details (phone and address) are often enough data for a fraudster to commit some serious damage. If I call up my phone company or bank that's probably going to cover the questions they ask me to prove identity. Someone transferring my phone can then get past any 2FA I hold.

At what point do we hold NAB liable for the potential damage they have caused?

[dannyw]

Name, DOB, and address is available via the Electoral Roll. While I don't think NAB is blameless, at some point the blame lies with companies that accept insufficient forms of authentication.

For example, to transfer funds with my bank, I get texted a 2FA code and this is a mandatory requirement for online banking at CBA.

[jeauxlb]

Name and address is in the roll. DOB absolutely is not.

Further, suggesting the blame lies with companies accepting "insufficient forms" of authentication obviously does not bear up in light of this. 2FA texts, for example, are easily worked around by SIM-swapping. Performing a SIM-swap in Australia generally does not require 2FA, and the details leaked herein would get you well on your way.

[dannyw]

Ack. Still, the DOB is not difficult to access: just apply to work for the AEC and your copy of the roll certainly includes DOB.