In a statement issued on Friday evening, the bank said it had contacted the two companies and been advised that the data in question had been deleted within two hours of being uploaded.
There was no indication as to why the information about the leak was revealed so late on a Friday. Neither did the bank say when the screw-up happened and when it was noticed.
NAB chief data officer Glenda Crisp said the uploaded data included customer names, date of birth, contact details, and in some cases a government-issued ID number such as that on a driver's licence.
“The issue was human error and in breach of NAB’s data security policies.”
Crisp said there was no issue with the bank's security and this was due to a mistake by staff.
The bank will cover the cost of any ID documents that need to be re-issued and also pay for independent, enhanced fraud detection identification services for affected customers.
“We have reviewed these customers’ accounts, over and above our rigorous normal checks, and have not identified any unusual activity. We will continue to monitor 24/7 to protect our customers’ accounts,” Crisp said.
The bank said it had notified and was working with industry regulators, including the Office of the Australian Information Commissioner.