The Commonwealth Bank of Australia (CBA) has had to reveal that it lost the records of almost 20 million customer accounts and decided not to inform its customers.
Following a report on BuzzFeed Australia that broke news of the May 2016 incident, the CBA issued a statement and a video of acting group executive, retail banking services, Angus Sullivan acknowledging that the lapse occurred and providing details of what happened, while clarifying that there was no evidence that the affected 19.8 million customer records had been compromised.
“The bank was unable to confirm the scheduled destruction by a supplier of two magnetic tapes which contained historical customer statements. The tapes contained customer names, addresses, account numbers and transaction details from 2000 to early 2016. The tapes did not contain passwords, PINs or other data which could be used to enable account fraud,” said the statement.
CBA said it ordered an independent forensic investigation conducted by KPMG, which determined the most likely scenario was the tapes had been disposed of. The bank immediately put in place monitoring mechanisms to further protect customers.
The 2016 incident was not cyber-related and there has been no compromise of CBA’s technology platforms, systems, services, apps or websites, said the bank. It added that over the past two years there has been no evidence of customer harm or suspicious account activity.
While customers’ passwords and PINs were not affected by the incident, and thus did not need to be changed, the bank said that ongoing monitoring of the 19.8 million customer accounts involved remains in place as a precaution.
CBA said the Office of the Australian Information Commissioner (OAIC) and the Australian Prudential Regulation Authority (APRA) were both notified of the incident and a briefing was provided on the results of the investigation.
“The decision was made not to alert customers given the outcome of our investigation which found the tapes were most likely disposed of. In these cases, we balance the need to alert customers without unnecessarily alarming them,” said Mr Sullivan.
While the revelation of the May 2016 incident has only added to the woes of the CBA, which include a lawsuit from the government for having breached anti-money laundering protocols, and incidents where it used outdated medical definitions to refuse sick customers health insurance payouts, it has also raised questions about why the regulators permitted the CBA to keep mum instead of alerting customers.
Australian Privacy Foundation vice chair Kat Lane expressed her disapproval In a Guardian report on the incident. "It's unclear to me how the bank and the two regulators came to this view that we aren't entitled to know. They dropped the ball," she said.
“Our data is incredibly valuable and we should be able to seek compensation. These businesses that hold our personal information should be incentivised heavily by penalties to keep our data confidential.
“Obviously there’s a major failure here, and the data breach notification laws haven’t gone nearly far enough to resolve those failures.”